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Audience 

This  guide  is  for  the  networking  professional  managing  the  Cisco  Gigabit  Ethernet  Switch  Module 
(CGESM),  referred  to  as  the  switch.  Before  using  this  guide,  you  should  have  experience  working  with 
the  Cisco  IOS  software  and  be  familiar  with  the  concepts  and  terminology  of  Ethernet  and  local  area 
networking. 

Purpose 

This  guide  provides  the  information  that  you  need  to  configure  Cisco  IOS  software  features  on  your 
switch.  The  Cisco  Catalyst  Blade  Switch  software  provides  enterprise-class  intelligent  services  such  as 
access  control  lists  (ACLs)  and  quality  of  service  (QoS)  features. 

This  guide  provides  procedures  for  using  the  commands  that  have  been  created  or  changed  for  use  with 
the  Cisco  Catalyst  Blade  Switch  switch.  It  does  not  provide  detailed  information  about  these 
commands.  For  detailed  information  about  these  commands,  see  the  Cisco  Catalyst  Blade  Switch 
Command  Reference  for  this  release.  For  information  about  the  standard  Cisco  IOS  Release  12.2 
commands,  see  the  Cisco  IOS  documentation  set  available  from  the  Cisco.com  home  page  at  Technical 
Support  &  Documentation  >  Cisco  IOS  Software. 

This  guide  does  not  provide  detailed  information  on  the  graphical  user  interfaces  (GUIs)  for  the 
embedded  device  manager  or  for  Cisco  Network  Assistant  (hereafter  referred  to  as  Network  Assistant) 
that  you  can  use  to  manage  the  switch.  However,  the  concepts  in  this  guide  are  applicable  to  the  GUI 
user.  For  information  about  the  device  manager,  see  the  switch  online  help.  For  information  about 
Network  Assistant,  see  Getting  Started  with  Cisco  Network  Assistant,  available  on  Cisco.com. 

This  guide  does  not  describe  system  messages  you  might  encounter  or  how  to  install  your  switch.  For 
more  information,  see  the  Cisco  Catalyst  Blade  Switch  System  Message  Guide  for  this  release  and  the 
Cisco  Catalyst  Blade  Switch  Hardware  Installation  Guide. 

For  documentation  updates,  see  the  release  notes  for  this  release. 
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Conventions 

This  publication  uses  these  conventions  to  convey  instructions  and  information: 
Command  descriptions  use  these  conventions: 

•  Commands  and  keywords  are  in  boldface  text. 

•  Arguments  for  which  you  supply  values  are  in  italic. 

•  Square  brackets  ([  ])  mean  optional  elements. 

•  Braces  ({  })  group  required  choices,  and  vertical  bars  (  I  )  separate  the  alternative  elements. 

•  Braces  and  vertical  bars  within  square  brackets  ([{  I  }])  mean  a  required  choice  within  an  optional 
element. 

Interactive  examples  use  these  conventions: 

•  Terminal  sessions  and  system  displays  are  in  screen  font. 

•  Information  you  enter  is  in  boldface  screen  font. 

•  Nonprinting  characters,  such  as  passwords  or  tabs,  are  in  angle  brackets  (<  >). 
Notes,  cautions,  and  timesavers  use  these  conventions  and  symbols: 


Note      Means  reader  take  note.  Notes  contain  helpful  suggestions  or  references  to  materials  not  contained  in 
this  manual. 


A   

Caution      Means  reader  be  careful.  In  this  situation,  you  might  do  something  that  could  result  in  equipment 
damage  or  loss  of  data. 


Related  Publications 

These  documents  provide  complete  information  about  the  switch  and  are  available  from  this  Cisco.com 
site: 


Note      Before  installing,  configuring,  or  upgrading  the  switch,  see  these  documents: 

•  For  initial  configuration  information,  see  the  blade  switch  configuration  and  installation  instructions 
in  the  getting  started  guide  or  the  "Configuring  the  Switch  with  the  CLI-Based  Setup  Program" 
appendix  in  the  hardware  installation  guide. 

•  For  device  manager  requirements,  see  the  "System  Requirements"  section  in  the  release  notes  (not 
orderable  but  available  on  Cisco.com). 

•  For  Network  Assistant  requirements,  see  the  Getting  Started  with  Cisco  Network  Assistant  (not 
orderable  but  available  on  Cisco.com). 

•  For  cluster  requirements,  see  the  Release  Notes  for  Cisco  Network  Assistant  (not  orderable  but 
available  on  Cisco.com). 

•  For  upgrading  information,  see  the  "Downloading  Software"  section  in  the  release  notes. 


XXX 
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Obtaining  Documentation,  Obtaining  Support,  and  Security  Guidelines  H 


You  can  order  printed  copies  of  documents  with  a  DOC-xxxxxx=  number  from  the  Cisco.com  sites  and 
from  the  telephone  numbers  listed  in  the  "Obtaining  Documentation,  Obtaining  Support,  and  Security 
Guidelines"  section  on  page  xxxi. 

•  Cisco  Small  Form-Factor  Pluggable  Modules  Installation  Notes  (order  number  DOC-7815160=) 

•  These  compatibility  matrix  documents  are  available  from  this  Cisco.com  site: 

http://www.cisco.eom/en/US/products/hw/modules/ps5455/products_device_support_tables_list.h 
tml 

-  Cisco  Gigabit  Ethernet  Transceiver  Modules  Compatibility  Matrix  (not  orderable  but  available 
on  Cisco.com) 

-  Cisco  Small  Form-Factor  Pluggable  Modules  Compatibility  Matrix  (not  orderable  but  available 
on  Cisco.com) 

-  Compatibility  Matrix  for  1000BASE-T  Small  Form-Factor  Pluggable  Modules  (not  orderable 
but  available  on  Cisco.com) 

•  Getting  Started  with  Cisco  Network  Assistant  (not  orderable  but  available  on  Cisco.com) 

•  Release  Notes  for  Cisco  Network  Assistant  (not  orderable  but  available  on  Cisco.com) 

•  Cisco  RPS  300  Redundant  Power  System  Hardware  Installation  Guide  (order  number 
DOC-7810372=) 

•  Cisco  RPS  675  Redundant  Power  System  Hardware  Installation  Guide  (order  number 
DOC-7815201=) 

Obtaining  Documentation,  Obtaining  Support,  and  Security 
Guidelines 

For  information  on  obtaining  documentation,  obtaining  support,  providing  documentation  feedback, 
security  guidelines,  and  also  recommended  aliases  and  general  Cisco  documents,  see  the  monthly 
What's  New  in  Cisco  Product  Documentation,  which  also  lists  all  new  and  revised  Cisco  technical 
documentation,  at: 

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html 
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Overview 


This  chapter  provides  these  topics  about  the  switch  software: 

•  Features,  page  1-1 

•  Default  Settings  After  Initial  Switch  Configuration,  page  1-9 

•  Design  Concepts  for  Using  the  Switch,  page  1-12 

•  Where  to  Go  Next,  page  1-14 

In  this  document,  IP  refers  to  IP  Version  4  (IPv4). 

Features 

Some  features  described  in  this  chapter  are  available  only  on  the  cryptographic  (supports  encryption) 
version  of  the  software.  You  must  obtain  authorization  to  use  this  feature  and  to  download  the 
cryptographic  version  of  the  software  from  Cisco.com.  For  more  information,  see  the  release  notes  for 
this  release. 

The  switch  has  these  features: 

•  Ease-of-Deployment  and  Ease-of-Use  Features,  page  1-2 

•  Performance  Features,  page  1-3 

•  Management  Options,  page  1-4 

•  Manageability  Features,  page  1-4  (includes  a  feature  requiring  the  cryptographic  version  of  the 
software) 

•  Availability  and  Redundancy  Features,  page  1-5 

•  VLAN  Features,  page  1-6 

•  Security  Features,  page  1-7  (includes  a  feature  requiring  the  cryptographic  version  of  the  software) 

•  QoS  and  CoS  Features,  page  1-8 

•  Monitoring  Features,  page  1-9 
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Ease-of-Deployment  and  Ease-of-Use  Features 

The  switch  ships  with  these  features  to  make  the  deployment  and  the  use  easier: 

•  Express  Setup  for  quickly  configuring  a  switch  for  the  first  time  with  basic  IP  information,  contact 
information,  switch  and  Telnet  passwords,  and  Simple  Network  Management  Protocol  (SNMP) 
information  through  a  browser-based  program.  For  more  information  about  Express  Setup,  see  the 
getting  started  guide. 

•  User-defined  and  Cisco-default  Smartports  macros  for  creating  custom  switch  configurations  for 
simplified  deployment  across  the  network. 

•  Cisco  Network  Assistant  (hereafter  referred  to  as  Network  Assistant)  for 

-  Managing  communities,  which  are  device  groups  like  clusters,  except  that  they  can  contain 
routers  and  access  points  and  can  be  made  more  secure. 

-  Simplifying  and  minimizing  switch  and  switch  cluster  management  from  anywhere  in  your 
intranet. 

-  Accomplishing  multiple  configuration  tasks  from  a  single  graphical  interface  without  needing 
to  remember  command-line  interface  (CLI)  commands  to  accomplish  specific  tasks. 

-  Interactive  guide  mode  that  guides  you  in  configuring  complex  features  such  as  VLANs,  ACLs, 
and  quality  of  service  (QoS). 

-  Configuration  wizards  that  prompt  you  to  provide  only  the  minimum  required  information  to 
configure  complex  features  such  as  QoS  priorities  for  video  traffic,  priority  levels  for  data 
applications,  and  security. 

-  Downloading  an  image  to  a  switch. 

-  Applying  actions  to  multiple  ports  and  multiple  switches  at  the  same  time,  such  as  VLAN  and 
QoS  settings,  inventory  and  statistic  reports,  link-  and  switch-level  monitoring  and 
troubleshooting,  and  multiple  switch  software  upgrades. 

-  Viewing  a  topology  of  interconnected  devices  to  identify  existing  switch  clusters  and  eligible 
switches  that  can  join  a  cluster  and  to  identify  link  information  between  switches. 

-  Monitoring  real-time  status  of  a  switch  or  multiple  switches  from  the  LEDs  on  the  front-panel 
images.  The  system,  redundant  power  system  (RPS),  and  port  LED  colors  on  the  images  are 
similar  to  those  used  on  the  physical  LEDs. 

•  Switch  clustering  technology  for 

-  Unified  configuration,  monitoring,  authentication,  and  software  upgrade  of  multiple, 
cluster-capable  switches,  regardless  of  their  geographic  proximity  and  interconnection  media, 
including  Ethernet,  Fast  Ethernet,  Fast  EtherChannel,  small  form-factor  pluggable  (SFP) 
modules,  Gigabit  Ethernet,  and  Gigabit  EtherChannel  connections.  For  a  list  of  cluster-capable 
switches,  see  the  release  notes. 

-  Automatic  discovery  of  candidate  switches  and  creation  of  clusters  of  up  to  16  switches  that  can 
be  managed  through  a  single  IP  address. 

-  Extended  discovery  of  cluster  candidates  that  are  not  directly  connected  to  the  command  switch. 


1-2 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  1  Overview 


Features 11 


Performance  Features 

The  switch  ships  with  these  performance  features: 

•  Autosensing  of  port  speed  and  autonegotiation  of  duplex  mode  on  all  switch  ports  for  optimizing 
bandwidth 

•  Automatic-medium-dependent  interface  crossover  (auto-MDIX)  capability  on  10/100  and 
10/100/1000  Mb/s  interfaces  that  enables  the  interface  to  automatically  detect  the  required  cable 
connection  type  (straight-through  or  crossover)  and  to  configure  the  connection  appropriately 

•  Support  for  up  to  9000  bytes  for  frames  that  are  bridged  in  hardware  and  up  to  2000  bytes  for  frames 
that  are  bridged  by  software 

•  IEEE  802. 3x  flow  control  on  all  ports  (the  switch  does  not  send  pause  frames) 

•  EtherChannel  for  enhanced  fault  tolerance  and  for  providing  up  to  8  Gb/s  (Gigabit  EtherChannel) 
full-duplex  bandwidth  among  switches,  routers,  and  servers 

•  Port  Aggregation  Protocol  (PAgP)  and  Link  Aggregation  Control  Protocol  (LACP)  for  automatic 
creation  of  EtherChannel  links 

•  Forwarding  of  Layer  2  packets  at  Gigabit  line  rate 

•  Per-port  storm  control  for  preventing  broadcast,  multicast,  and  unicast  storms 

•  Port  blocking  on  forwarding  unknown  Layer  2  unknown  unicast,  multicast,  and  bridged  broadcast 
traffic 

•  Internet  Group  Management  Protocol  (IGMP)  snooping  for  IGMP  Versions  1,  2,  and  3  for 
efficiently  forwarding  multimedia  and  multicast  traffic 

•  IGMP  report  suppression  for  sending  only  one  IGMP  report  per  multicast  router  query  to  the 
multicast  devices  (supported  only  for  IGMPvl  or  IGMPv2  queries) 

•  IGMP  snooping  querier  support  to  configure  switch  to  generate  periodic  IGMP  General  Query 
messages 

•  Multicast  VLAN  registration  (MVR)  to  continuously  send  multicast  streams  in  a  multicast  VLAN 
while  isolating  the  streams  from  subscriber  VLANs  for  bandwidth  and  security  reasons 

•  IGMP  filtering  for  controlling  the  set  of  multicast  groups  to  which  hosts  on  a  switch  port  can  belong 

•  IGMP  throttling  for  configuring  the  action  when  the  maximum  number  of  entries  is  in  the  IGMP 
forwarding  table 

•  IGMP  leave  timer  for  configuring  the  leave  latency  for  the  network 
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Management  Options 

These  are  the  options  for  configuring  and  managing  the  switch: 

•  An  embedded  device  manager — The  device  manager  is  a  GUI  that  is  integrated  in  the  software 
image.  You  use  it  to  configure  and  to  monitor  a  single  switch.  For  information  about  launching  the 
device  manager,  see  the  getting  started  guide.  For  more  information  about  the  device  manager,  see  the 
switch  online  help. 

•  Network  Assistant — Network  Assistant  is  a  network  management  application  that  can  be 
downloaded  from  Cisco.com.  You  use  it  to  manage  a  single  switch,  a  cluster  of  switches,  or  a 
community  of  devices.  For  more  information  about  Network  Assistant,  see  Getting  Started  with 
Cisco  Network  Assistant,  available  on  Cisco.com. 

•  CLI — The  Cisco  IOS  software  supports  desktop-  and  multilayer-switching  features.  You  can  access 
the  CLI  either  by  connecting  your  management  station  directly  to  the  switch  console  port  or  by  using 
Telnet  from  a  remote  management  station.  For  more  information  about  the  CLI,  see  Chapter  2, 
"Using  the  Command-Line  Interface." 

•  SNMP — SNMP  management  applications  such  as  CiscoWorks2000  LAN  Management  Suite  (LMS) 
and  HP  Open  View.  You  can  manage  from  an  SNMP-compatible  management  station  that  is  running 
platforms  such  as  HP  Open  View  or  SunNet  Manager.  The  switch  supports  a  comprehensive  set  of 
MIB  extensions  and  four  remote  monitoring  (RMON)  groups.  For  more  information  about  using 
SNMP,  see  Chapter  25,  "Configuring  SNMP." 

•  IE2100 — Cisco  Intelligence  Engine  2100  Series  Configuration  Registrar  is  a  network  management 
device  that  works  with  embedded  Cisco  Networking  Services  (CNS)  agents  in  the  switch  software. 
You  can  automate  initial  configurations  and  configuration  updates  by  generating  switch-specific 
configuration  changes,  sending  them  to  the  switch,  executing  the  configuration  change,  and  logging 
the  results. 

For  more  information  about  IE2100,  see  Chapter  4,  "Configuring  Cisco  IOS  CNS  Agents." 

Manageability  Features 

These  are  the  manageability  features: 

•  Cisco  IE2100  Series  CNS  embedded  agents  for  automating  switch  management,  configuration 
storage,  and  delivery 

•  DHCP  for  automating  configuration  of  switch  information  (such  as  IP  address,  default  gateway, 
hostname,  and  Domain  Name  System  [DNS]  and  TFTP  server  names) 

•  DHCP  relay  for  forwarding  User  Datagram  Protocol  (UDP)  broadcasts,  including  IP  address 
requests,  from  DHCP  clients 

•  DHCP  server  for  automatic  assignment  of  IP  addresses  and  other  DHCP  options  to  IP  hosts 

•  Directed  unicast  requests  to  a  DNS  server  for  identifying  a  switch  through  its  IP  address  and  its 
corresponding  hostname  and  to  a  TFTP  server  for  administering  software  upgrades  from  a  TFTP 
server 

•  Address  Resolution  Protocol  (ARP)  for  identifying  a  switch  through  its  IP  address  and  its 
corresponding  MAC  address 

•  Unicast  MAC  address  filtering  to  drop  packets  with  specific  source  or  destination  MAC  addresses 

•  Cisco  Discovery  Protocol  (CDP)  Versions  1  and  2  for  network  topology  discovery  and  mapping 
between  the  switch  and  other  Cisco  devices  on  the  network 


1-4 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  1  Overview 


Features H 


•  Link  Layer  Discovery  Protocol  (LLDP)  and  LLDP  Media  Endpoint  Discovery  (LLDP-MED)  for 
interoperability  with  third-party  IP  phonesNetwork  Time  Protocol  (NTP)  for  providing  a  consistent 
time  stamp  to  all  switches  from  an  external  source 

•  Cisco  IOS  File  System  (IFS)  for  providing  a  single  interface  to  all  file  systems  that  the  switch  uses 

•  Configuration  logging  to  log  and  to  view  changes  to  the  switch  configuration 

•  Unique  device  identifier  to  provide  product  identification  information  through  a  show  inventory 
user  EXEC  command  display 

•  In-band  management  access  through  the  device  manager  over  a  Netscape  Navigator  or  Microsoft 
Internet  Explorer  browser  session 

•  In-band  management  access  for  up  to  16  simultaneous  Telnet  connections  for  multiple  CLI-based 
sessions  over  the  network 

•  In-band  management  access  for  up  to  five  simultaneous,  encrypted  Secure  Shell  (SSH)  connections 
for  multiple  CLI-based  sessions  over  the  network  (requires  the  cryptographic  version  of  the 
software) 

•  In-band  management  access  through  SNMP  Versions  1,  2c,  and  3  get  and  set  requests 

•  Out-of-band  management  access  through  the  switch  console  port  to  a  directly  attached  terminal  or 
to  a  remote  terminal  through  a  serial  connection  or  a  modem 

•  Secure  Copy  Protocol  (SCP)  feature  to  provide  a  secure  and  authenticated  method  for  copying 
switch  configuration  or  switch  image  files  (requires  the  cryptographic  versions  of  the  software  IP 
base  and  IP  services  images)(requires  the  cryptographic  version  of  the  software) 

^   

Note      For  additional  descriptions  of  the  management  interfaces,  see  the  "Design  Concepts  for  Using  the 
Switch"  section  on  page  1-12. 


Availability  and  Redundancy  Features 

These  are  the  availability  and  redundancy  features: 

•  UniDirectional  Link  Detection  (UDLD)  and  aggressive  UDLD  for  detecting  and  disabling 
unidirectional  links  on  fiber-optic  interfaces  caused  by  incorrect  fiber-optic  wiring  or  port  faults 

•  IEEE  802.  ID  Spanning  Tree  Protocol  (STP)  for  redundant  backbone  connections  and  loop-free 
networks.  STP  has  these  features: 

-  Up  to  128  spanning-tree  instances  supported 

-  Per-VLAN  spanning-tree  plus  (PVST+)  for  load  balancing  across  VLANs 

-  Rapid  PVST+  for  load  balancing  across  VLANs  and  providing  rapid  convergence  of 
spanning-tree  instances 

-  UplinkFast  and  BackboneFast  for  fast  convergence  after  a  spanning-tree  topology  change  and 
for  achieving  load  balancing  between  redundant  uplinks,  including  Gigabit  uplinks 

•  IEEE  802.1s  Multiple  Spanning  Tree  Protocol  (MSTP)  for  grouping  VLANs  into  a  spanning-tree 
instance  and  for  providing  multiple  forwarding  paths  for  data  traffic  and  load  balancing  and  rapid 
per-VLAN  Spanning-Tree  plus  (rapid-PVST+)  based  on  the  IEEE  802.  lw  Rapid  Spanning  Tree 
Protocol  (RSTP)  for  rapid  convergence  of  the  spanning  tree  by  immediately  changing  root  and 
designated  ports  to  the  forwarding  state 
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•  Optional  spanning-tree  features  available  in  PVST+,  rapid-PVST+,  and  MSTP  mode: 

-  Port  Fast  for  eliminating  the  forwarding  delay  by  enabling  a  port  to  immediately  change  from 
the  blocking  state  to  the  forwarding  state 

-  BPDU  guard  for  shutting  down  Port  Fast-enabled  ports  that  receive  bridge  protocol  data  units 
(BPDUs) 

-  BPDU  filtering  for  preventing  a  Port  Fast-enabled  port  from  sending  or  receiving  BPDUs 

-  Root  guard  for  preventing  switches  outside  the  network  core  from  becoming  the  spanning-tree 
root 

-  Loop  guard  for  preventing  alternate  or  root  ports  from  becoming  designated  ports  because  of  a 
failure  that  leads  to  a  unidirectional  link 

•  Flex  Link  Layer  2  interfaces  to  back  up  one  another  as  an  alternative  to  STP  for  basic  link 
redundancy 

•  Link  state  tracking  (Layer  2  trunk  failover)  to  mirror  the  state  of  the  external  Ethernet  links  and  to 
allow  the  failover  of  the  processor  blade  traffic  to  an  operational  external  link  on  a  separate  Cisco 
Ethernet  switch 

•  RPS  support  through  the  Cisco  RPS  300  and  Cisco  RPS  675  for  enhancing  power  reliability 

%   

Note     The  switch  supports  up  to  64  spanning-tree  instances. 


VLAN  Features 

These  are  the  VLAN  features: 

•  Support  for  up  to  1005  VLANs  for  assigning  users  to  VLANs  associated  with  appropriate  network 
resources,  traffic  patterns,  and  bandwidth 

•  Support  for  VLAN  IDs  in  the  1  to  4094  range  as  allowed  by  the  IEEE  802. 1Q  standard 

•  VLAN  Query  Protocol  (VQP)  for  dynamic  VLAN  membership 

•  IEEE  802. 1Q  trunking  encapsulation  on  all  ports  for  network  moves,  adds,  and  changes; 
management  and  control  of  broadcast  and  multicast  traffic;  and  network  security  by  establishing 
VLAN  groups  for  high-security  users  and  network  resources 

•  Dynamic  Trunking  Protocol  (DTP)  for  negotiating  trunking  on  a  link  between  two  devices  and  for 
negotiating  the  type  of  trunking  encapsulation  (IEEE  802. 1Q)  to  be  used 

•  VLAN  Trunking  Protocol  (VTP)  and  VTP  pruning  for  reducing  network  traffic  by  restricting 
flooded  traffic  to  links  destined  for  stations  receiving  the  traffic 

•  Voice  VLAN  for  creating  subnets  for  voice  traffic  from  Cisco  IP  Phones 

•  VLAN  1  minimization  for  reducing  the  risk  of  spanning-tree  loops  or  storms  by  allowing  VLAN  1 
to  be  disabled  on  any  individual  VLAN  trunk  link.  With  this  feature  enabled,  no  user  traffic  is  sent 
or  received  on  the  trunk.  The  switch  CPU  continues  to  send  and  receive  control  protocol  frames. 

•  VLAN  Flex  Link  Load  Balancing  to  provide  Layer  2  redundancy  without  requiring  Spanning  Tree 
Protocol  (STP).  A  pair  of  interfaces  configured  as  primary  and  backup  links  can  load  balance  traffic 
based  on  VLAN. 
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Security  Features 

The  switch  ships  with  these  security  features: 

•  Password-protected  access  (read-only  and  read-write  access)  to  management  interfaces  (device 
manager,  Network  Assistant,  and  the  CLI  for  protection  against  unauthorized  configuration  changes 

•  Multilevel  security  for  a  choice  of  security  level,  notification,  and  resulting  actions 

•  Static  MAC  addressing  for  ensuring  security 

•  Protected  port  option  for  restricting  the  forwarding  of  traffic  to  designated  ports  on  the  same  switch 

•  Port  security  option  for  limiting  and  identifying  MAC  addresses  of  the  stations  allowed  to  access 
the  port 

•  VLAN  aware  port  security  option  shut  down  the  VLAN  on  the  port  when  a  violation  occurs,  instead 
of  shutting  down  the  entire  port. 

•  Port  security  aging  to  set  the  aging  time  for  secure  addresses  on  a  port 

•  BPDU  guard  for  shutting  down  a  Port  Fast-configured  port  when  an  invalid  configuration  occurs 

•  Standard  and  extended  IP  access  control  lists  (ACLs)  for  defining  security  policies  in  both 
directions  on  VLANs  and  inbound  on  Layer  2  interfaces  (port  ACLs) 

•  Extended  MAC  access  control  lists  for  defining  security  policies  in  the  inbound  direction  on  Layer  2 
interfaces 

•  VLAN  ACLs  (VLAN  maps)  for  providing  intra- VLAN  security  by  filtering  traffic  based  on 
information  in  the  MAC,  IP,  and  TCP/UDP  headers 

•  Source  and  destination  MAC-based  ACLs  for  filtering  non-IP  traffic 

•  DHCP  snooping  to  filter  untrusted  DHCP  messages  between  untrusted  hosts  and  DHCP  servers 

•  IEEE  802.  lx  port-based  authentication  to  prevent  unauthorized  devices  (clients)  from  gaining 
access  to  the  network.  These  features  are  supported: 

-  VLAN  assignment  for  restricting  IEEE  802.1x-authenticated  users  to  a  specified  VLAN 

-  Port  security  for  controlling  access  to  IEEE  802.  lx  ports 

-  Voice  VLAN  to  permit  a  Cisco  IP  Phone  to  access  the  voice  VLAN  regardless  of  the  authorized 
or  unauthorized  state  of  the  port 

-  Guest  VLAN  to  provide  limited  services  to  non-IEEE  802.  lx-compliant  users 

-  Restricted  VLAN  to  provide  limited  services  to  users  who  are  IEEE  802.  lx  compliant,  but  do 
not  have  the  credentials  to  authenticate  via  the  standard  IEEE  802. lx  processes 

-  IEEE  802.  lx  accounting  to  track  network  usage 

-  IEEE  802.  lx  with  wake-on-LAN  to  allow  dormant  PCs  to  be  powered  on  based  on  the  receipt 
of  a  specific  Ethernet  frame 

•  MAC  authentication  bypass  to  authorize  clients  based  on  the  client  MAC  address 

•  Nework  Admission  Control  (NAC)  Layer  2  IEEE  802.  lx  validation  of  the  antivirus  condition  or 
posture  of  endpoint  systems  or  clients  before  granting  the  devices  network  access. 

•  TACACS+,  a  proprietary  feature  for  managing  network  security  through  a  TACACS  server 

•  RADIUS  for  verifying  the  identity  of,  granting  access  to,  and  tracking  the  actions  of  remote  users 
through  authentication,  authorization,  and  accounting  (AAA)  services 
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•  Kerberos  security  system  to  authenticate  requests  for  network  resources  by  using  a  trusted  third 
party  (requires  the  cryptographic  version  of  the  software) 

•  Secure  Socket  Layer  (SSL)  Version  3.0  support  for  the  HTTP  1.1  server  authentication,  encryption, 
and  message  integrity  and  HTTP  client  authentication  to  allow  secure  HTTP  communications 
(requires  the  cryptographic  version  of  the  software) 

QoS  and  CoS  Features 

These  are  the  QoS  and  CoS  features: 

•  Automatic  QoS  (auto-QoS)  to  simplify  the  deployment  of  existing  QoS  features  by  classifying 
traffic  and  configuring  egress  queues 

•  Classification 

-  IP  type-of-service/Differentiated  Services  Code  Point  (IP  ToS/DSCP)  and  IEEE  802.  lp  CoS 
marking  priorities  on  a  per-port  basis  for  protecting  the  performance  of  mission-critical 
applications 

-  IP  ToS/DSCP  and  IEEE  802.  lp  CoS  marking  based  on  flow-based  packet  classification 
(classification  based  on  information  in  the  MAC,  IP,  and  TCP/UDP  headers)  for 
high-performance  quality  of  service  at  the  network  edge,  allowing  for  differentiated  service 
levels  for  different  types  of  network  traffic  and  for  prioritizing  mission-critical  traffic  in  the 
network 

-  Trusted  port  states  (CoS,  DSCP,  and  IP  precedence)  within  a  QoS  domain  and  with  a  port 
bordering  another  QoS  domain 

-  Trusted  boundary  for  detecting  the  presence  of  a  Cisco  IP  Phone,  trusting  the  CoS  value 
received,  and  ensuring  port  security 

•  Policing 

-  Traffic-policing  policies  on  the  switch  port  for  managing  how  much  of  the  port  bandwidth 
should  be  allocated  to  a  specific  traffic  flow 

-  In  Cisco  IOS  Release  12.2(25)SED  and  later,  if  you  configure  multiple  class  maps  for  a 
hierarchical  policy  map,  each  class  map  can  be  associated  with  its  own  port-level  (second-level) 
policy  map.  Each  second-level  policy  map  can  have  a  different  policer. 

-  Aggregate  policing  for  policing  traffic  flows  in  aggregate  to  restrict  specific  applications  or 
traffic  flows  to  metered,  predefined  rates 

•  Out-of-Profile 

-  Out-of-profile  markdown  for  packets  that  exceed  bandwidth  utilization  limits 

•  Ingress  queueing  and  scheduling 

-  Two  configurable  ingress  queues  for  user  traffic  (one  queue  can  be  the  priority  queue) 

-  Weighted  tail  drop  (WTD)  as  the  congestion-avoidance  mechanism  for  managing  the  queue 
lengths  and  providing  drop  precedences  for  different  traffic  classifications 

-  Shaped  round  robin  (SRR)  as  the  scheduling  service  for  specifying  the  rate  at  which  packets  are 
sent  to  the  ring  (sharing  is  the  only  supported  mode  on  ingress  queues) 
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•  Egress  queues  and  scheduling 

-  Four  egress  queues  per  port 

-  WTD  as  the  congestion-avoidance  mechanism  for  managing  the  queue  lengths  and  providing 
drop  precedences  for  different  traffic  classifications 

-  SRR  as  the  scheduling  service  for  specifying  the  rate  at  which  packets  are  dequeued  to  the 
egress  interface  (shaping  or  sharing  is  supported  on  egress  queues).  Shaped  egress  queues  are 
guaranteed  but  limited  to  using  a  share  of  port  bandwidth.  Shared  egress  queues  are  also 
guaranteed  a  configured  share  of  bandwidth,  but  can  use  more  than  the  guarantee  if  other  queues 
become  empty  and  do  not  use  their  share  of  the  bandwidth. 

Monitoring  Features 

These  are  the  monitoring  features: 

•  Switch  LEDs  that  provide  status 

•  MAC  address  notification  traps  and  RADIUS  accounting  for  tracking  users  on  a  network  by  storing 
the  MAC  addresses  that  the  switch  has  learned  or  removed 

•  Switched  Port  Analyzer  (SPAN)  and  Remote  SPAN  (RSPAN)  for  traffic  monitoring  on  any  port  or 
VLAN 

•  SPAN  and  RSPAN  support  of  Intrusion  Detection  Systems  (IDS)  to  monitor,  repel,  and  report 
network  security  violations 

•  Four  groups  (history,  statistics,  alarms,  and  events)  of  embedded  RMON  agents  for  network 
monitoring  and  traffic  analysis 

•  Syslog  facility  for  logging  system  messages  about  authentication  or  authorization  errors,  resource 
issues,  and  time-out  events 

•  Layer  2  traceroute  to  identify  the  physical  path  that  a  packet  takes  from  a  source  device  to  a 
destination  device 

•  Time  Domain  Reflector  (TDR)  to  diagnose  and  resolve  cabling  problems  on  10/100/1000  copper 
Ethernet  ports 

•  SFP  module  diagnostic  management  interface  to  monitor  physical  or  operational  status  of  an  SFP 
module 

Default  Settings  After  Initial  Switch  Configuration 

The  switch  is  designed  for  plug-and-play  operation,  requiring  only  that  you  assign  basic  IP  information 
to  the  switch  and  connect  it  to  the  other  devices  in  your  network.  If  you  have  specific  network  needs, 
you  can  change  the  interface-specific  and  system-wide  settings. 


Note      For  information  about  assigning  an  IP  address  by  using  the  browser-based  Express  Setup  program,  see 
the  getting  started  guide.  For  information  about  assigning  an  IP  address  by  using  the  CLI-based  setup 
program,  see  the  hardware  installation  guide. 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  j 


1-9 


H    Default  Settings  After  Initial  Switch  Configuration 


Chapter  1     Overview  | 


If  you  do  not  configure  the  switch  at  all,  the  switch  operates  with  these  default  settings: 

•  Default  switch  IP  address,  subnet  mask,  and  default  gateway  is  0.0.0.0.  For  more  information,  see 
Chapter  3,  "Assigning  the  Switch  IP  Address  and  Default  Gateway,"  and  Chapter  16,  "Configuring 
DHCP  Features." 

•  Default  domain  name  is  not  configured.  For  more  information,  see  Chapter  3,  "Assigning  the  Switch 
IP  Address  and  Default  Gateway." 

•  DHCP  client  is  enabled,  the  DHCP  server  is  enabled  (only  if  the  device  acting  as  a  DHCP  server  is 
configured  and  is  enabled),  and  the  DHCP  relay  agent  is  enabled  (only  if  the  device  is  acting  as  a 
DHCP  relay  agent  is  configured  and  is  enabled).  For  more  information,  see  Chapter  3,  "Assigning 
the  Switch  IP  Address  and  Default  Gateway,"  and  Chapter  16,  "Configuring  DHCP  Features." 

•  Switch  cluster  is  disabled.  For  more  information  about  switch  clusters,  see  Chapter  6,  "Clustering 
Switches,"  and  the  Getting  Started  with  Cisco  Network  Assistant,  available  on  Cisco.com. 

•  No  passwords  are  defined.  For  more  information,  see  Chapter  4,  "Administering  the  Switch." 

•  System  name  and  prompt  is  Switch.  For  more  information,  see  Chapter  4,  "Administering  the 
Switch." 

•  NTP  is  enabled.  For  more  information,  see  Chapter  4,  "Administering  the  Switch." 

•  DNS  is  enabled.  For  more  information,  see  Chapter  4,  "Administering  the  Switch." 

•  TACACS+  is  disabled.  For  more  information,  see  Chapter  5,  "Configuring  Switch-Based 
Authentication." 

•  RADIUS  is  disabled.  For  more  information,  see  Chapter  5,  "Configuring  Switch-Based 
Authentication." 

•  The  standard  HTTP  server  and  Secure  Socket  Layer  (SSL)  HTTPS  server  are  both  enabled.  For  more 
information,  see  Chapter  5,  "Configuring  Switch-Based  Authentication." 

•  IEEE  802.  lx  is  disabled.  For  more  information,  see  Chapter  6,  "Configuring  IEEE  802.  lx 
Port-Based  Authentication." 

•  Port  parameters 

-  Interface  speed  and  duplex  mode  is  autonegotiate.  For  more  information,  see  Chapter  7, 
"Configuring  Interface  Characteristics." 

-  Auto-MDIX  is  enabled.  For  more  information,  see  Chapter  7,  "Configuring  Interface 
Characteristics." 

-  Flow  control  is  off.  For  more  information,  see  Chapter  7,  "Configuring  Interface 
Characteristics." 

-  PortFast  is  enabled  on  the  internal  Gigabit  Ethernet  ports.  For  more  information,  see 
Chapter  14,  "Configuring  Optional  Spanning-Tree  Features." 

•  No  Smartports  macros  are  defined.  For  more  information,  see  Chapter  8,  "Configuring  Smartports 
Macros." 
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•  VLANs 

-  Default  VLAN  is  VLAN  1.  For  more  information,  see  Chapter  9,  "Configuring  VLANs." 

-  VLAN  trunking  setting  is  dynamic  auto  (DTP).  For  more  information,  see  Chapter  9, 
"Configuring  VLANs." 

-  Trunk  encapsulation  is  negotiate.  For  more  information,  see  Chapter  9,  "Configuring  VLANs." 

-  VTP  mode  is  server.  For  more  information,  see  Chapter  10,  "Configuring  VTP." 

-  VTP  version  is  Version  1.  For  more  information,  see  Chapter  10,  "Configuring  VTP." 

-  Voice  VLAN  is  disabled.  For  more  information,  see  Chapter  11,  "Configuring  Voice  VLAN." 

•  STP,  PVST+  is  enabled  on  VLAN  1.  For  more  information,  see  Chapter  12,  "Configuring  STP" 

•  MSTP  is  disabled.  For  more  information,  see  Chapter  13,  "Configuring  MSTP." 

•  Optional  spanning-tree  features  are  disabled.  For  more  information,  see  Chapter  14,  "Configuring 
Optional  Spanning-Tree  Features." 

•  Flex  Links  are  not  configured.  For  more  information,  see  Chapter  15,  "Configuring  Flex  Links  and 
the  MAC  Address-Table  Move  Update  Feature." 

•  DHCP  snooping  is  disabled.  The  DHCP  snooping  information  option  is  enabled.  For  more 
information,  see  Chapter  16,  "Configuring  DHCP  Features." 

•  IGMP  snooping  is  enabled.  No  IGMP  filters  are  applied.  For  more  information,  see  Chapter  17, 
"Configuring  IGMP  Snooping  and  MVR." 

•  IGMP  throttling  setting  is  deny.  For  more  information,  see  Chapter  17,  "Configuring  IGMP 
Snooping  and  MVR." 

•  The  IGMP  snooping  querier  feature  is  disabled.  For  more  information,  see  Chapter  17,  "Configuring 
IGMP  Snooping  and  MVR." 

•  MVR  is  disabled.  For  more  information,  see  Chapter  17,  "Configuring  IGMP  Snooping  and  MVR." 

•  Port-based  traffic 

-  Broadcast,  multicast,  and  unicast  storm  control  is  disabled.  For  more  information,  see 
Chapter  18,  "Configuring  Port-Based  Traffic  Control." 

-  No  protected  ports  are  defined.  For  more  information,  see  Chapter  18,  "Configuring  Port-Based 
Traffic  Control." 

-  Unicast  and  multicast  traffic  flooding  is  not  blocked.  For  more  information,  see  Chapter  18, 
"Configuring  Port-Based  Traffic  Control." 

-  No  secure  ports  are  configured.  For  more  information,  see  Chapter  18,  "Configuring  Port-Based 
Traffic  Control." 

•  CDP  is  enabled.  For  more  information,  see  Chapter  19,  "Configuring  CDP" 

•  UDLD  is  disabled.  For  more  information,  see  Chapter  21,  "Configuring  UDLD." 

•  SPAN  and  RSPAN  are  disabled.  For  more  information,  see  Chapter  22,  "Configuring  SPAN  and 
RSPAN." 

•  RMON  is  disabled.  For  more  information,  see  Chapter  23,  "Configuring  RMON." 

•  Syslog  messages  are  enabled  and  appear  on  the  console.  For  more  information,  see  Chapter  24, 
"Configuring  System  Message  Logging." 

•  SNMP  is  enabled  (Version  1).  For  more  information,  see  Chapter  25,  "Configuring  SNMP." 

•  No  ACLs  are  configured.  For  more  information,  see  Chapter  26,  "Configuring  Network  Security 
with  ACLs." 
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•  QoS  is  disabled.  For  more  information,  see  Chapter  27,  "Configuring  QoS." 

•  No  EtherChannels  are  configured.  For  more  information,  see  Chapter  28,  "Configuring 
EtherChannels  and  Layer  2  Trunk  Failover." 

Design  Concepts  for  Using  the  Switch 

As  your  network  users  compete  for  network  bandwidth,  it  takes  longer  to  send  and  receive  data.  When 
you  configure  your  network,  consider  the  bandwidth  required  by  your  network  users  and  the  relative 
priority  of  the  network  applications  that  they  use. 

Table  1-1  describes  what  can  cause  network  performance  to  degrade  and  how  you  can  configure  your 
network  to  increase  the  bandwidth  available  to  your  network  users. 


Table  1-1  Increasing  Network  Performance 


Network  Demands 

Suggested  Design  Methods 

Too  many  users  on  a  single  network 
segment  and  a  growing  number  of 
users  accessing  the  Internet 

•  Create  smaller  network  segments  so  that  fewer  users  share  the  bandwidth,  and  use 
VLANs  and  IP  subnets  to  place  the  network  resources  in  the  same  logical  network 
as  the  users  who  access  those  resources  most. 

•  Use  full-duplex  operation  between  the  switch  and  its  connected  workstations. 

•  Increased  power  of  new  PCs, 
workstations,  and  servers 

•  High  bandwidth  demand  from 
networked  applications  (such  as 
e-mail  with  large  attached  files) 
and  from  bandwidth-intensive 
applications  (such  as 
multimedia) 

•  Connect  global  resources — such  as  servers  and  routers  to  which  the  network  users 
require  equal  access — directly  to  the  high-speed  switch  ports  so  that  they  have 
their  own  high-speed  segment. 

•  Use  the  EtherChannel  feature  between  the  switch  and  its  connected  servers  and 
routers. 

Bandwidth  alone  is  not  the  only  consideration  when  designing  your  network.  As  your  network  traffic 
profiles  evolve,  consider  providing  network  services  that  can  support  applications  for  voice  and  data 
integration,  multimedia  integration,  application  prioritization,  and  security.  Table  1-2  describes  some 
network  demands  and  how  you  can  meet  them. 

Table  1-2           Providing  Network  Services 

Network  Demands 

Suggested  Design  Methods 

Efficient  bandwidth  usage  for 
multimedia  applications  and 
guaranteed  bandwidth  for  critical 
applications 

•  Use  IGMP  snooping  to  efficiently  forward  multimedia  and  multicast  traffic. 

•  Use  other  QoS  mechanisms  such  as  packet  classification,  marking,  scheduling, 
and  congestion  avoidance  to  classify  traffic  with  the  appropriate  priority  level, 
thereby  providing  maximum  flexibility  and  support  for  mission-critical,  unicast, 
and  multicast  and  multimedia  applications. 

•  Use  MVR  to  continuously  send  multicast  streams  in  a  multicast  VLAN  but  to 
isolate  the  streams  from  subscriber  VLANs  for  bandwidth  and  security  reasons. 

High  demand  on  network  redundancy 
and  availability  to  provide  always  on 
mission-critical  applications 

•    Use  VLAN  trunks  and  BackboneFast  for  traffic-load  balancing  on  the  uplink  ports 
so  that  the  uplink  port  with  a  lower  relative  port  cost  is  selected  to  carry  the  VLAN 
traffic. 
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Table  1-2           Providing  Network  Services  (continued) 

Network  Demands 

Suggested  Design  Methods 

An  evolving  demand  for  IP  telephony 

•  Use  QoS  to  prioritize  applications  such  as  IP  telephony  during  congestion  and  to 
help  control  both  delay  and  jitter  within  the  network. 

•  Use  switches  that  support  at  least  two  queues  per  port  to  prioritize  voice  and  data 
traffic  as  either  high-  or  low-priority,  based  on  IEEE  802.1p/Q.  The  switch 
supports  at  least  four  queues  per  port. 

•  Use  voice  VLAN  IDs  (VVIDs)  to  provide  separate  VLANs  for  voice  traffic. 

A  growing  demand  for  using  existing 
infrastructure  to  transport  data  and 
voice  from  a  home  or  office  to  the 
Internet  or  an  intranet  at  higher 
speeds 

Use  the  Catalyst  Long-Reach  Ethernet  (LRE)  switches  to  provide  up  to  15  Mb  of  IP 
connectivity  over  existing  infrastructure,  such  as  existing  telephone  lines. 

Note     LRE  is  the  technology  used  in  the  Catalyst  2900  LRE  XL  and  Catalyst  2950 
LRE  switches.  See  the  documentation  sets  specific  to  these  switches  for  LRE 
information. 

You  can  use  the  switches  to  create  the  following: 

•    Cost-effective  Gigabit-to-the-blade  server  for  high-performance  workgroups  (Figure  1-1) — For 
high-speed  access  to  network  resources,  you  can  use  the  blade  switches  in  the  access  layer  to  provide 
Gigabit  Ethernet  to  the  blade  servers.  To  prevent  congestion,  use  QoS  DSCP  marking  priorities  on 
these  switches.  For  high-speed  IP  forwarding  at  the  distribution  layer,  connect  the  switches  in  the 
access  layer  to  a  Gigabit  multilayer  switch  with  routing  capability,  such  as  a  Catalyst  3750  switch, 
or  to  a  router. 

The  first  illustration  is  of  an  isolated  high-performance  workgroup,  where  the  blade  switches  are 
connected  to  Catalyst  3750  switches  in  the  distribution  layer. 

Each  blade  switch  in  this  configuration  provides  users  with  a  dedicated  1-Gb/s  connection  to 
network  resources.  Using  SFP  modules  also  provides  flexibility  in  media  and  distance  options 
through  fiber-optic  connections. 

Figure  1-1  High-Performance  Workgroup  (Gigabit-to-the-Blade  Server) 
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•    Server  aggregation  (Figure  1-2) — You  can  use  the  switches  to  interconnect  groups  of  servers, 
centralizing  physical  security  and  administration  of  your  network.  For  high-speed  IP  forwarding  at 
the  distribution  layer,  connect  the  switches  in  the  access  layer  to  multilayer  switches  with  routing 
capability.  The  Gigabit  interconnections  minimize  latency  in  the  data  flow. 

QoS  and  policing  on  the  blade  switches  provide  preferential  treatment  for  certain  data  streams.  They 
segment  traffic  streams  into  different  paths  for  processing.  Security  features  on  the  blade  switch 
ensure  rapid  handling  of  packets. 

Fault  tolerance  from  the  server  racks  to  the  core  is  achieved  through  dual  homing  of  servers 
connected  to  the  blade  switches,  which  have  redundant  Gigabit  EtherChannels. 

Using  dual  SFP  module  uplinks  from  the  blade  switches  provides  redundant  uplinks  to  the  network 
core.  Using  SFP  modules  provides  flexibility  in  media  and  distance  options  through  fiber-optic 
connections. 


Figure  1-2  Server  Aggregation 


Where  to  Go  Next 

Before  configuring  the  switch,  review  these  sections  for  startup  information: 

•  Chapter  2,  "Using  the  Command-Line  Interface" 

•  Chapter  3,  "Assigning  the  Switch  IP  Address  and  Default  Gateway" 
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Using  the  Command-Line  Interface 


This  chapter  describes  the  Cisco  IOS  command-line  interface  (CLI)  and  how  to  use  it  to  configure  your 
switch.  It  contains  these  sections: 

•  Understanding  Command  Modes,  page  2-1 

•  Understanding  the  Help  System,  page  2-3 

•  Understanding  Abbreviated  Commands,  page  2-4 

•  Understanding  no  and  default  Forms  of  Commands,  page  2-4 

•  Understanding  CLI  Error  Messages,  page  2-5 

•  Using  Configuration  Logging,  page  2-5 

•  Using  Command  History,  page  2-6 

•  Using  Editing  Features,  page  2-7 

•  Searching  and  Filtering  Output  of  show  and  more  Commands,  page  2-10 

•  Accessing  the  CLI,  page  2-10 


Understanding  Command  Modes 

The  Cisco  IOS  user  interface  is  divided  into  many  different  modes.  The  commands  available  to  you 
depend  on  which  mode  you  are  currently  in.  Enter  a  question  mark  (?)  at  the  system  prompt  to  obtain  a 
list  of  commands  available  for  each  command  mode. 

When  you  start  a  session  on  the  switch,  you  begin  in  user  mode,  often  called  user  EXEC  mode.  Only  a 
limited  subset  of  the  commands  are  available  in  user  EXEC  mode.  For  example,  most  of  the  user  EXEC 
commands  are  one-time  commands,  such  as  show  commands,  which  show  the  current  configuration 
status,  and  clear  commands,  which  clear  counters  or  interfaces.  The  user  EXEC  commands  are  not  saved 
when  the  switch  reboots. 

To  have  access  to  all  commands,  you  must  enter  privileged  EXEC  mode.  Normally,  you  must  enter  a 
password  to  enter  privileged  EXEC  mode.  From  this  mode,  you  can  enter  any  privileged  EXEC 
command  or  enter  global  configuration  mode. 

Using  the  configuration  modes  (global,  interface,  and  line),  you  can  make  changes  to  the  running 
configuration.  If  you  save  the  configuration,  these  commands  are  stored  and  used  when  the  switch 
reboots.  To  access  the  various  configuration  modes,  you  must  start  at  global  configuration  mode.  From 
global  configuration  mode,  you  can  enter  interface  configuration  mode  and  line  configuration  mode. 
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Table  2-1  describes  the  main  command  modes,  how  to  access  each  one,  the  prompt  you  see  in  that  mode, 
and  how  to  exit  the  mode.  The  examples  in  the  table  use  the  hostname  Switch. 


Table  2-1  Command  Mode  Summary 


Mode 

Access  Method 

Prompt 

Exit  Method 

About  This  Mode 

User  EXEC 

Begin  a  session  with 
your  switch. 

Switch> 

Enter  logout  or 
quit. 

Use  this  mode  to 

•  Change  terminal  settings. 

•  Perform  basic  tests. 

•  Display  system 
information. 

Privileged  EXEC 

While  in  user  EXEC 
mode,  enter  the 
enable  command. 

Switcht 

Enter  disable  to 
exit. 

Use  this  mode  to  verify 
commands  that  you  have 
entered.  Use  a  password  to 
protect  access  to  this  mode. 

Global  configuration 

While  in  privileged 
EXEC  mode,  enter 
the  configure 
command. 

Switch(config) # 

To  exit  to  privileged 
EXEC  mode,  enter 
exit  or  end,  or  press 
Ctrl-Z. 

Use  this  mode  to  configure 
parameters  that  apply  to  the 
entire  switch. 

Config-vlan 

While  in  global 
configuration  mode, 
enter  the 
vlan  vlan-id 
command. 

Switch ( config-vlan) # 

To  exit  to  global 
configuration  mode, 
enter  the  exit 
command. 

To  return  to 
privileged  EXEC 
mode,  press  Ctrl-Z 
or  enter  end. 

Use  this  mode  to  configure 
VLAN  parameters.  When  VTP 
mode  is  transparent,  you  can 
create  extended-range  VLANs 
(VLAN  IDs  greater  than  1005) 
and  save  configurations  in  the 
switch  startup  configuration 
file. 

VLAN  configuration 

While  in  privileged 
EXEC  mode,  enter 
the  vlan  database 
command. 

Switch (vlan) # 

To  exit  to  privileged 
EXEC  mode,  enter 
exit. 

Use  this  mode  to  configure 
VLAN  parameters  for  VLANs 
1  to  1005  in  the  VLAN 
database. 
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Table  2-1  Command  Mode  Summary  (continued) 


Mode 

Access  Method 

Prompt 

Exit  Method 

About  This  Mode 

Interface 
configuration 

While  in  global 
configuration  mode, 
enter  the  interface 
command  (with  a 
specific  interface). 

Switch(config-if ) # 

To  exit  to  global 
configuration  mode, 
enter  exit. 

To  return  to 
privileged  EXEC 
mode,  press  Ctrl-Z 
or  enter  end. 

Use  this  mode  to  configure 
parameters  for  the  Ethernet 
ports. 

For  information  about  defining 
interfaces,  see  the  "Using 
Interface  Configuration  Mode" 
section  on  page  7-4. 

To  configure  multiple 
interfaces  with  the  same 
parameters,  see  the 
"Configuring  a  Range  of 
Interfaces"  section  on 
page  7-6. 

Line  configuration 

While  in  global 
configuration  mode, 
specify  a  line  with 
the  line  vty  or  line 
console  command. 

Switch ( conf ig-line) # 

To  exit  to  global 
configuration  mode, 
enter  exit. 

To  return  to 
privileged  EXEC 
mode,  press  Ctrl-Z 
or  enter  end. 

Use  this  mode  to  configure 
parameters  for  the  terminal 
line. 

For  more  detailed  information  on  the  command  modes,  see  the  command  reference  guide  for  this  release. 


Understanding  the  Help  System 

You  can  enter  a  question  mark  (?)  at  the  system  prompt  to  display  a  list  of  commands  available  for  each 
command  mode.  You  can  also  obtain  a  list  of  associated  keywords  and  arguments  for  any  command,  as 
shown  in  Table  2-2. 


Table  2-2           Help  Summary 

Command 

Purpose 

help 

Obtain  a  brief  description  of  the  help  system  in  any  command  mode. 

abbreviated-command-entry? 

Obtain  a  list  of  commands  that  begin  with  a  particular  character  string. 
For  example: 

Switch*  di? 

dir  disable  disconnect 

abbreviated-command-entry<Tab> 

Complete  a  partial  command  name. 
For  example: 

Switch*  sh  conf<tab> 
Switch*  show  configuration 
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ffl    Understanding  Abbreviated  Commands 

Table  2-2           Help  Summary  (continued) 

Command 

Purpose 

List  all  commands  available  for  a  particular  command  mode. 
For  example: 

Switch>  ? 

n  /i  n  i  m  n  T  i  /7 
ClJllLllLLlflLl  ■ 

I  iQt  thp  3S5npi3tpH       v\x/r*t*H q  far  rnmmand 

For  example: 

Switch>  show  ? 

command  keyword  ? 

List  the  associated  arguments  for  a  keyword. 
For  example: 

Switch (config) #  cdp  holdtime  ? 

<10-255>  Length  of  time   (in  sec)    that  receiver  must  keep  this  packet 

Understanding  Abbreviated  Commands 

You  need  to  enter  only  enough  characters  for  the  switch  to  recognize  the  command  as  unique. 

This  example  shows  how  to  enter  the  show  configuration  privileged  EXEC  command  in  an  abbreviated 
form: 

Switch*  show  conf 


Understanding  no  and  default  Forms  of  Commands 

Almost  every  configuration  command  also  has  a  no  form.  In  general,  use  the  no  form  to  disable  a  feature 
or  function  or  reverse  the  action  of  a  command.  For  example,  the  no  shutdown  interface  configuration 
command  reverses  the  shutdown  of  an  interface.  Use  the  command  without  the  keyword  no  to  re-enable 
a  disabled  feature  or  to  enable  a  feature  that  is  disabled  by  default. 

Configuration  commands  can  also  have  a  default  form.  The  default  form  of  a  command  returns  the 
command  setting  to  its  default.  Most  commands  are  disabled  by  default,  so  the  default  form  is  the  same 
as  the  no  form.  However,  some  commands  are  enabled  by  default  and  have  variables  set  to  certain 
default  values.  In  these  cases,  the  default  command  enables  the  command  and  sets  variables  to  their 
default  values. 
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Understanding  CLI  Error  Messages 

Table  2-3  lists  some  error  messages  that  you  might  encounter  while  using  the  CLI  to  configure  your 
switch. 


Table  2-3  Common  CLI  Error  Messages 


Error  Message 

Meaning 

How  to  Get  Help 

%  Ambiguous  command: 
"show  con" 

You  did  not  enter  enough  characters 
for  your  switch  to  recognize  the 
command. 

Re-enter  the  command  followed  by  a  question  mark  (?) 
with  a  space  between  the  command  and  the  question 
mark. 

The  possible  keywords  that  you  can  enter  with  the 
command  appear. 

%  Incomplete  command. 

You  did  not  enter  all  the  keywords  or 
values  required  by  this  command. 

Re-enter  the  command  followed  by  a  question  mark  (?) 
with  a  space  between  the  command  and  the  question 
mark. 

The  possible  keywords  that  you  can  enter  with  the 
command  appear. 

%  Invalid  input  detected 
at   1 A '  marker . 

You  entered  the  command 
incorrectly.  The  caret  (A)  marks  the 
point  of  the  error. 

Enter  a  question  mark  (?)  to  display  all  the  commands 
that  are  available  in  this  command  mode. 

The  possible  keywords  that  you  can  enter  with  the 
command  appear. 

Using  Configuration  Logging 

You  can  log  and  view  changes  to  the  switch  configuration.  You  can  use  the  Configuration  Change 
Logging  and  Notification  feature  to  track  changes  on  a  per-session  and  per-user  basis.  The  logger  tracks 
each  configuration  command  that  is  applied,  the  user  who  entered  the  command,  the  time  that  the 
command  was  entered,  and  the  parser  return  code  for  the  command.  This  feature  includes  a  mechanism 
for  asynchronous  notification  to  registered  applications  whenever  the  configuration  changes.  You  can 
choose  to  have  the  notifications  sent  to  the  syslog. 

For  more  information,  see  the  Configuration  Change  Notification  and  Logging  feature  module  at  this 
URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801dle81 
.html 


Only  CLI  or  HTTP  changes  are  logged. 


X 

Note 
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Using  Command  History 

The  software  provides  a  history  or  record  of  commands  that  you  have  entered.  The  command  history 
feature  is  particularly  useful  for  recalling  long  or  complex  commands  or  entries,  including  access  lists. 
You  can  customize  this  feature  to  suit  your  needs  as  described  in  these  sections: 

•  Changing  the  Command  History  Buffer  Size,  page  2-6  (optional) 

•  Recalling  Commands,  page  2-6  (optional) 

•  Disabling  the  Command  History  Feature,  page  2-7  (optional) 

Changing  the  Command  History  Buffer  Size 

By  default,  the  switch  records  ten  command  lines  in  its  history  buffer.  You  can  alter  this  number  for  a 
current  terminal  session  or  for  all  sessions  on  a  particular  line.  These  procedures  are  optional. 

Beginning  in  privileged  EXEC  mode,  enter  this  command  to  change  the  number  of  command  lines  that 
the  switch  records  during  the  current  terminal  session: 

Switch#  terminal  history  [size  number-of -lines] 

The  range  is  from  0  to  256. 

Beginning  in  line  configuration  mode,  enter  this  command  to  configure  the  number  of  command  lines 
the  switch  records  for  all  sessions  on  a  particular  line: 

Switch ( config-line ) #  history  [size  number-of -lines] 

The  range  is  from  0  to  256. 

Recalling  Commands 

To  recall  commands  from  the  history  buffer,  perform  one  of  the  actions  listed  in  Table  2-4.  These  actions 
are  optional. 


Table  2-4  Recalling  Commands 


Action1 

Result 

Press  Ctrl-P  or  the  up  arrow  key. 

Recall  commands  in  the  history  buffer,  beginning  with  the  most  recent  command. 
Repeat  the  key  sequence  to  recall  successively  older  commands. 

Press  Ctrl-N  or  the  down  arrow  key. 

Return  to  more  recent  commands  in  the  history  buffer  after  recalling  commands 
with  Ctrl-P  or  the  up  arrow  key.  Repeat  the  key  sequence  to  recall  successively 
more  recent  commands. 

show  history 

While  in  privileged  EXEC  mode,  list  the  last  several  commands  that  you  just 
entered.  The  number  of  commands  that  appear  is  controlled  by  the  setting  of  the 
terminal  history  global  configuration  command  and  the  history  line  configuration 
command. 

1,    The  arrow  keys  function  only  on  ANSI-compatible  terminals  such  as  VTlOOs. 
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Disabling  the  Command  History  Feature 


The  command  history  feature  is  automatically  enabled.  You  can  disable  it  for  the  current  terminal 
session  or  for  the  command  line.  These  procedures  are  optional. 

To  disable  the  feature  during  the  current  terminal  session,  enter  the  terminal  no  history  privileged 
EXEC  command. 

To  disable  command  history  for  the  line,  enter  the  no  history  line  configuration  command. 


This  section  describes  the  editing  features  that  can  help  you  manipulate  the  command  line.  It  contains 
these  sections: 

•  Enabling  and  Disabling  Editing  Features,  page  2-7  (optional) 

•  Editing  Commands  through  Keystrokes,  page  2-7  (optional) 

•  Editing  Command  Lines  that  Wrap,  page  2-9  (optional) 


Although  enhanced  editing  mode  is  automatically  enabled,  you  can  disable  it,  re-enable  it,  or  configure 
a  specific  line  to  have  enhanced  editing.  These  procedures  are  optional. 

To  globally  disable  enhanced  editing  mode,  enter  this  command  in  line  configuration  mode: 

Switch   (conf ig-line) #  no  editing 

To  re-enable  the  enhanced  editing  mode  for  the  current  terminal  session,  enter  this  command  in 
privileged  EXEC  mode: 

Switch#  terminal  editing 

To  reconfigure  a  specific  line  to  have  enhanced  editing  mode,  enter  this  command  in  line  configuration 
mode: 

Switch ( conf ig-line ) #  editing 


Table  2-5  shows  the  keystrokes  that  you  need  to  edit  command  lines.  These  keystrokes  are  optional. 


Using  Editing  Features 


Enabling  and  Disabling  Editing  Features 


Editing  Commands  through  Keystrokes 


Table  2-5 


Editing  Commands  through  Keystrokes 


Capability 


Keystroke 


Purpose 


Move  around  the  command  line  to 
make  changes  or  corrections. 


Press  Ctrl-B,  or  press  the 
left  arrow  key. 


Move  the  cursor  back  one  character. 
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Table  2-5  Editing  Commands  through  Keystrokes  (continued) 


Capability 

Keystroke1 

Purpose 

Press  Ctrl-F,  or  press  the 
right  arrow  key. 

Move  the  cursor  forward  one  character. 

Press  Ctrl-A. 

Move  the  cursor  to  the  beginning  of  the  command  line. 

Press  Ctrl-E. 

Move  the  cursor  to  the  end  of  the  command  line. 

Press  Esc  B. 

Move  the  cursor  back  one  word. 

Press  Esc  F. 

Move  the  cursor  forward  one  word. 

Press  Ctrl-T. 

Transpose  the  character  to  the  left  of  the  cursor  with  the 
character  located  at  the  cursor. 

Recall  commands  from  the  buffer 
and  paste  them  in  the  command  line. 
The  switch  provides  a  buffer  with  the 
last  ten  items  that  you  deleted. 

Press  Ctrl-Y. 

Recall  the  most  recent  entry  in  the  buffer. 

Press  Esc  Y. 

Recall  the  next  buffer  entry. 

The  buffer  contains  only  the  last  10  items  that  you  have 
deleted  or  cut.  If  you  press  Esc  Y  more  than  ten  times,  you 
cycle  to  the  first  buffer  entry. 

Delete  entries  if  you  make  a  mistake 
or  change  your  mind. 

Press  the  Delete  or 

DatKapdtc  Key. 

Erase  the  character  to  the  left  of  the  cursor. 

ricss  v. 1 1  l-lJ . 

l^CldC  LIlC  Llld.Id.LLCI  d.L  LllC  LUlaOl. 

Press  Ctrl-K. 

Delete  all  characters  from  the  cursor  to  the  end  of  the 

^nmninnn  Imp 

cuiiinianu  line 

Prpcc  Ptrl-TT  rvr  Ptrl-V 

Tlplptp  qII  (,tmi"iptnrc  Ti*/"\rn  trip  ^urcnr  tn  trip  ripmnmnrr  r\T 
-L/C1CIC  all  CIlalaCLCla  11U111  LllC  CUlSOl  LO  LllC  UC^llllllllg  Ol 

the  command  line. 

Press  Ctrl-W. 

Delete  the  word  to  the  left  of  the  cursor. 

Press  Esc  D. 

Delete  from  the  cursor  to  the  end  of  the  word. 

Capitalize  or  lowercase  words  or 
capitalize  a  set  of  letters. 

Press  Esc  C. 

Capitalize  at  the  cursor. 

Press  Esc  L. 

Change  the  word  at  the  cursor  to  lowercase. 

Press  Esc  U. 

Capitalize  letters  from  the  cursor  to  the  end  of  the  word. 

Designate  a  particular  keystroke  as 
an  executable  command,  perhaps  as  a 
shortcut. 

Press  Ctrl-V  or  Esc  Q. 
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Table  2-5  Editing  Commands  through  Keystrokes  (continued) 


Capability 

Keystroke1 

Purpose 

Scroll  down  a  line  or  screen  on 
displays  that  are  longer  than  the 
terminal  screen  can  display. 

Press  the  Return  key. 

Scroll  down  one  line. 

Note     The  More  prompt  is  used  for 
any  output  that  has  more 
lines  than  can  be  displayed 
on  the  terminal  screen, 
including  show  command 
output.  You  can  use  the 
Return  and  Space  bar 
keystrokes  whenever  you  see 
the  More  prompt. 

Press  the  Space  bar. 

Scroll  down  one  screen. 

Redisplay  the  current  command  line 
if  the  switch  suddenly  sends  a 
message  to  your  screen. 

Press  Ctrl-L  or  Ctrl-R. 

Redisplay  the  current  command  line. 

1,    The  arrow  keys  function  only  on  ANSI-compatible  terminals  such  as  VTlOOs. 


Editing  Command  Lines  that  Wrap 

You  can  use  a  wraparound  feature  for  commands  that  extend  beyond  a  single  line  on  the  screen.  When 
the  cursor  reaches  the  right  margin,  the  command  line  shifts  ten  spaces  to  the  left.  You  cannot  see  the 
first  ten  characters  of  the  line,  but  you  can  scroll  back  and  check  the  syntax  at  the  beginning  of  the 
command.  The  keystroke  actions  are  optional. 

To  scroll  back  to  the  beginning  of  the  command  entry,  press  Ctrl-B  or  the  left  arrow  key  repeatedly.  You 
can  also  press  Ctrl-A  to  immediately  move  to  the  beginning  of  the  line. 

The  arrow  keys  function  only  on  ANSI-compatible  terminals  such  as  VTlOOs. 

In  this  example,  the  access-list  global  configuration  command  entry  extends  beyond  one  line.  When  the 
cursor  first  reaches  the  end  of  the  line,  the  line  is  shifted  ten  spaces  to  the  left  and  redisplayed.  The  dollar 
sign  ($)  shows  that  the  line  has  been  scrolled  to  the  left.  Each  time  the  cursor  reaches  the  end  of  the  line, 
the  line  is  again  shifted  ten  spaces  to  the  left. 

Switch (config) #  access-list  101  permit  tcp  131.108.2.5  255.255.255.0  131.108.1 
Switch (config) #  $  101  permit  tcp  131.108.2.5  255.255.255.0  131.108.1.20  255.25 
Switch (config) #  $t  tcp  131.108.2.5  255.255.255.0  131.108.1.20  255.255.255.0  eq 
Switch (config) #  $108.2.5  255.255.255.0  131.108.1.20  255.255.255.0  eq  45 

After  you  complete  the  entry,  press  Ctrl-A  to  check  the  complete  syntax  before  pressing  the  Return  key 
to  execute  the  command.  The  dollar  sign  ($)  appears  at  the  end  of  the  line  to  show  that  the  line  has  been 
scrolled  to  the  right: 

Switch (config) #  access-list  101  permit  tcp  131.108.2.5  255.255.255.0  131.108.1$ 

The  software  assumes  you  have  a  terminal  screen  that  is  80  columns  wide.  If  you  have  a  width  other  than 
that,  use  the  terminal  width  privileged  EXEC  command  to  set  the  width  of  your  terminal. 

Use  line  wrapping  with  the  command  history  feature  to  recall  and  modify  previous  complex  command 
entries.  For  information  about  recalling  previous  command  entries,  see  the  "Editing  Commands  through 
Keystrokes"  section  on  page  2-7. 
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Searching  and  Filtering  Output  of  show  and  more  Commands 

You  can  search  and  filter  the  output  for  show  and  more  commands.  This  is  useful  when  you  need  to  sort 
through  large  amounts  of  output  or  if  you  want  to  exclude  output  that  you  do  not  need  to  see.  Using  these 
commands  is  optional. 

To  use  this  functionality,  enter  a  show  or  more  command  followed  by  the  pipe  character  (I),  one  of  the 
keywords  begin,  include,  or  exclude,  and  an  expression  that  you  want  to  search  for  or  filter  out: 

command  I  {begin  I  include  I  exclude}  regular-expression 

Expressions  are  case  sensitive.  For  example,  if  you  enter  I  exclude  output,  the  lines  that  contain  output 
are  not  displayed,  but  the  lines  that  contain  Output  appear. 

This  example  shows  how  to  include  in  the  output  display  only  lines  where  the  expression  protocol 
appears: 

Switch#  show  interfaces   |   include  protocol 

Vlanl  is  up,    line  protocol  is  up 
VlanlO  is  up,    line  protocol  is  down 
GigabitEthernetO / 1  is  up,    line  protocol  is  down 
GigabitEthernetO/2  is  up,    line  protocol  is  up 

Accessing  the  CLI 

You  can  access  the  CLI  through  a  console  connection,  through  Telnet,  or  by  using  the  browser. 

Accessing  the  CLI  through  a  Console  Connection  or  through  Telnet 

Before  you  can  access  the  CLI,  you  must  connect  a  terminal  or  PC  to  the  switch  console  port  and  power 
on  the  switch,  as  described  in  the  hardware  installation  guide  that  shipped  with  your  switch.  Then,  to 
understand  the  boot  up  process  and  the  options  available  for  assigning  IP  information,  see  Chapter  3, 
"Assigning  the  Switch  IP  Address  and  Default  Gateway." 

If  your  switch  is  already  configured,  you  can  access  the  CLI  through  a  local  console  connection  or 
through  a  remote  Telnet  session,  but  your  switch  must  first  be  configured  for  this  type  of  access.  For 
more  information,  see  the  "Setting  a  Telnet  Password  for  a  Terminal  Line"  section  on  page  5-6. 

You  can  use  one  of  these  methods  to  establish  a  connection  with  the  switch: 

•  Connect  the  switch  console  port  to  a  management  station  or  dial-up  modem.  For  information  about 
connecting  to  the  console  port,  see  the  switch  hardware  installation  guide. 

•  Use  any  Telnet  TCP/IP  or  encrypted  Secure  Shell  (SSH)  package  from  a  remote  management 
station.  The  switch  must  have  network  connectivity  with  the  Telnet  or  SSH  client,  and  the  switch 
must  have  an  enable  secret  password  configured. 

For  information  about  configuring  the  switch  for  Telnet  access,  see  the  "Setting  a  Telnet  Password 
for  a  Terminal  Line"  section  on  page  5-6.  The  switch  supports  up  to  16  simultaneous  Telnet 
sessions.  Changes  made  by  one  Telnet  user  are  reflected  in  all  other  Telnet  sessions. 

For  information  about  configuring  the  switch  for  SSH,  see  the  "Configuring  the  Switch  for  Secure 
Shell"  section  on  page  5-37.  The  switch  supports  up  to  five  simultaneous  secure  SSH  sessions. 

After  you  connect  through  the  console  port,  through  a  Telnet  session  or  through  an  SSH  session,  the 
user  EXEC  prompt  appears  on  the  management  station. 
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Assigning  the  Switch  IP  Address  and  Default 
Gateway 


This  chapter  describes  how  to  create  the  initial  switch  configuration  (for  example,  assigning  the  IP 
address  and  default  gateway  information)  by  using  a  variety  of  automatic  and  manual  methods.  It  also 
describes  how  to  modify  the  switch  startup  configuration. 

%   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 

reference  for  this  release  and  the  Cisco  IOS  IP  Command  Reference,  Volume  1  of  3:  Addressing  and 

Services,  Release  12.2. 

This  chapter  consists  of  these  sections: 

•  Understanding  the  Bootup  Process,  page  3-1 

•  Assigning  Switch  Information,  page  3-2 

•  Checking  and  Saving  the  Running  Configuration,  page  3-11 

•  Modifying  the  Startup  Configuration,  page  3-12 

•  Scheduling  a  Reload  of  the  Software  Image,  page  3-16 

Understanding  the  Bootup  Process 

To  start  your  switch,  you  need  to  follow  the  procedures  in  the  getting  started  guide  or  the  hardware 
installation  guide  for  installing  and  powering  on  the  switch  and  setting  up  the  initial  switch  configuration 
(IP  address,  subnet  mask,  default  gateway,  secret  and  Telnet  passwords,  and  so  forth). 

The  normal  bootup  process  involves  the  operation  of  the  bootloader  software,  which  performs  these 
activities: 

•  Performs  low-level  CPU  initialization.  It  initializes  the  CPU  registers,  which  control  where  physical 
memory  is  mapped,  its  quantity,  its  speed,  and  so  forth. 

•  Performs  power-on  self-test  (POST)  for  the  CPU  subsystem.  It  tests  the  CPU  DRAM  and  the  portion 
of  the  flash  device  that  makes  up  the  flash  file  system. 

•  Initializes  the  flash  file  system  on  the  system  board. 

•  Loads  a  default  operating  system  software  image  into  memory  and  boots  the  switch. 
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The  bootloader  provides  access  to  the  flash  file  system  before  the  operating  system  is  loaded.  Normally, 
the  bootloader  is  used  only  to  load,  uncompress,  and  launch  the  operating  system.  After  the  bootloader 
gives  the  operating  system  control  of  the  CPU,  the  bootloader  is  not  active  until  the  next  system  reset  or 
power-on. 

The  bootloader  also  provides  trap-door  access  into  the  system  if  the  operating  system  has  problems 
serious  enough  that  it  cannot  be  used.  The  trap-door  mechanism  provides  enough  access  to  the  system 
so  that  if  it  is  necessary,  you  can  format  the  flash  file  system,  reinstall  the  operating  system  software 
image  by  using  the  Xmodem  Protocol,  recover  from  a  lost  or  forgotten  password,  and  finally  restart  the 
operating  system.  For  more  information,  see  the  "Recovering  from  a  Software  Failure"  section  on 
page  29-2  and  the  "Recovering  from  a  Lost  or  Forgotten  Password"  section  on  page  29-3. 

X   

Note      You  can  disable  password  recovery.  For  more  information,  see  the  "Disabling  Password  Recovery" 
section  on  page  5-5. 

Before  you  can  assign  switch  information,  make  sure  you  have  connected  a  PC  or  terminal  to  the  console 
port,  and  configured  the  PC  or  terminal-emulation  software  baud  rate  and  character  format  to  match 
these  of  the  switch  console  port: 

•  Baud  rate  default  is  9600. 

•  Data  bits  default  is  8. 

X   

Note     If  the  data  bits  option  is  set  to  8,  set  the  parity  option  to  none. 

•  Stop  bits  default  is  1. 

•  Parity  settings  default  is  none. 


Assigning  Switch  Information 

You  can  assign  IP  information  through  the  switch  setup  program,  through  a  DHCP  server,  or  manually. 

Use  the  switch  setup  program  if  you  want  to  be  prompted  for  specific  IP  information.  With  this  program, 
you  can  also  configure  a  hostname  and  an  enable  secret  password.  It  gives  you  the  option  of  assigning  a 
Telnet  password  (to  provide  security  during  remote  management)  and  configuring  your  switch  as  a 
command  or  member  switch  of  a  cluster  or  as  a  standalone  switch.  For  more  information  about  the  setup 
program,  see  the  hardware  installation  guide. 

Use  a  DHCP  server  for  centralized  control  and  automatic  assignment  of  IP  information  after  the  server 
is  configured. 

X   

Note      If  you  are  using  DHCP,  do  not  respond  to  any  of  the  questions  in  the  setup  program  until  the  switch 
receives  the  dynamically  assigned  IP  address  and  reads  the  configuration  file. 


3-2 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  3    Assigning  the  Switch  IP  Address  and  Default  Gateway 


Assigning  Switch  Information  H 


If  you  are  an  experienced  user  familiar  with  the  switch  configuration  steps,  manually  configure  the 
switch.  Otherwise,  use  the  setup  program  described  previously. 

These  sections  contain  this  configuration  information: 

•  Default  Switch  Information,  page  3-3 

•  Understanding  DHCP-Based  Autoconfiguration,  page  3-3 

•  Manually  Assigning  IP  Information,  page  3-10 

Default  Switch  Information 

Table  3-1  shows  the  default  switch  information. 


Table  3-1  Default  Switch  Information 


Feature 

Default  Setting 

DCHP  client 

Enabled. 

IP  address  and  subnet  mask 

No  specific  IP  address  or  subnet  mask  are  defined. 

Default  gateway 

No  specific  default  gateway  is  defined. 

Enable  secret  password 

No  specific  password  is  defined. 

Hostname 

The  factory-assigned  default  hostname  is  Switch. 

Telnet  password 

No  specific  password  is  defined. 

Cluster  command  switch  functionality 

Disabled. 

Cluster  name 

No  specific  cluster  name  is  defined. 

Understanding  DHCP-Based  Autoconfiguration 

DHCP  provides  configuration  information  to  Internet  hosts  and  internetworking  devices.  This  protocol 
consists  of  two  components:  one  for  delivering  configuration  parameters  from  a  DHCP  server  to  a  device 
and  a  mechanism  for  allocating  network  addresses  to  devices.  DHCP  is  built  on  a  client-server  model, 
in  which  designated  DHCP  servers  allocate  network  addresses  and  deliver  configuration  parameters  to 
dynamically  configured  devices.  The  switch  can  act  as  both  a  DHCP  client  and  a  DHCP  server. 

During  DHCP-based  autoconfiguration,  your  switch  (DHCP  client)  is  automatically  configured  at 
startup  with  IP  address  information  and  a  configuration  file. 

With  DHCP-based  autoconfiguration,  no  DHCP  client-side  configuration  is  needed  on  your  switch. 
However,  you  need  to  configure  the  DHCP  server  for  various  lease  options  associated  with  IP  addresses. 
If  you  are  using  DHCP  to  relay  the  configuration  file  location  on  the  network,  you  might  also  need  to 
configure  a  Trivial  File  Transfer  Protocol  (TFTP)  server  and  a  Domain  Name  System  (DNS)  server. 

The  DHCP  server  for  your  switch  can  be  on  the  same  LAN  or  on  a  different  LAN  than  the  switch.  If  the 
DHCP  server  is  running  on  a  different  LAN,  you  should  configure  a  DHCP  relay  device  between  your 
switch  and  the  DHCP  server.  A  relay  device  forwards  broadcast  traffic  between  two  directly  connected 
LANs.  A  router  does  not  forward  broadcast  packets,  but  it  forwards  packets  based  on  the  destination  IP 
address  in  the  received  packet. 

DHCP-based  autoconfiguration  replaces  the  BOOTP  client  functionality  on  your  switch. 
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DHCP  Client  Request  Process 

When  you  boot  up  your  switch,  the  DHCP  client  is  invoked  and  requests  configuration  information  from 
a  DHCP  server  when  the  configuration  file  is  not  present  on  the  switch.  If  the  configuration  file  is  present 
and  the  configuration  includes  the  ip  address  dhcp  interface  configuration  command  on  specific  routed 
interfaces,  the  DHCP  client  is  invoked  and  requests  the  IP  address  information  for  those  interfaces. 

Figure  3-1  shows  the  sequence  of  messages  that  are  exchanged  between  the  DHCP  client  and  the  DHCP 
server. 


Figure  3- 1  DHCP  Client  and  Server  Message  Exchange 


DHCP  server 


DHCPOFFER  (unicast) 

— > 

< — 

DHCPREQUEST  (broadcast) 

< — 

DHCPACK  (unicast) 

— ► 

T 


The  client,  Switch  A,  broadcasts  a  DHCPDISCOVER  message  to  locate  a  DHCP  server.  The  DHCP 
server  offers  configuration  parameters  (such  as  an  IP  address,  subnet  mask,  gateway  IP  address,  DNS  IP 
address,  a  lease  for  the  IP  address,  and  so  forth)  to  the  client  in  a  DHCPOFFER  unicast  message. 

In  a  DHCPREQUEST  broadcast  message,  the  client  returns  a  formal  request  for  the  offered 
configuration  information  to  the  DHCP  server.  The  formal  request  is  broadcast  so  that  all  other  DHCP 
servers  that  received  the  DHCPDISCOVER  broadcast  message  from  the  client  can  reclaim  the  IP 
addresses  that  they  offered  to  the  client. 

The  DHCP  server  confirms  that  the  IP  address  has  been  allocated  to  the  client  by  returning  a  DHCPACK 
unicast  message  to  the  client.  With  this  message,  the  client  and  server  are  bound,  and  the  client  uses 
configuration  information  received  from  the  server.  The  amount  of  information  the  switch  receives 
depends  on  how  you  configure  the  DHCP  server.  For  more  information,  see  the  "Configuring  the  TFTP 
Server"  section  on  page  3-6. 

If  the  configuration  parameters  sent  to  the  client  in  the  DHCPOFFER  unicast  message  are  invalid  (a 
configuration  error  exists),  the  client  returns  a  DHCPDECLINE  broadcast  message  to  the  DHCP  server. 

The  DHCP  server  sends  the  client  a  DHCPNAK  denial  broadcast  message,  which  means  that  the  offered 
configuration  parameters  have  not  been  assigned,  that  an  error  has  occurred  during  the  negotiation  of  the 
parameters,  or  that  the  client  has  been  slow  in  responding  to  the  DHCPOFFER  message  (the  DHCP 
server  assigned  the  parameters  to  another  client). 

A  DHCP  client  might  receive  offers  from  multiple  DHCP  or  BOOTP  servers  and  can  accept  any  of  the 
offers;  however,  the  client  usually  accepts  the  first  offer  it  receives.  The  offer  from  the  DHCP  server  is 
not  a  guarantee  that  the  IP  address  is  allocated  to  the  client;  however,  the  server  usually  reserves  the 
address  until  the  client  has  had  a  chance  to  formally  request  the  address.  If  the  switch  accepts  replies 
from  a  BOOTP  server  and  configures  itself,  the  switch  broadcasts,  instead  of  unicasts,  TFTP  requests  to 
obtain  the  switch  configuration  file. 
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Configuring  DHCP-Based  Autoconfiguration 

These  sections  contain  this  configuration  information: 

•  DHCP  Server  Configuration  Guidelines,  page  3-5 

•  Configuring  the  TFTP  Server,  page  3-6 

•  Configuring  the  DNS,  page  3-6 

•  Configuring  the  Relay  Device,  page  3-6 

•  Obtaining  Configuration  Files,  page  3-7 

•  Example  Configuration,  page  3-8 

If  your  DHCP  server  is  a  Cisco  device,  see  the  "Configuring  DHCP"  section  of  the  "IP  Addressing  and 
Services"  section  of  the  Cisco  IOS  IP  Configuration  Guide,  Release  12.2  for  additional  information 
about  configuring  DHCP. 

DHCP  Server  Configuration  Guidelines 

Follow  these  guidelines  if  you  are  configuring  a  device  as  a  DHCP  server: 

You  should  configure  the  DHCP  server  with  reserved  leases  that  are  bound  to  each  switch  by  the  switch 
hardware  address. 

If  you  want  the  switch  to  receive  IP  address  information,  you  must  configure  the  DHCP  server  with  these 
lease  options: 

•  IP  address  of  the  client  (required) 

•  Subnet  mask  of  the  client  (required) 

•  DNS  server  IP  address  (optional) 

•  Router  IP  address  (default  gateway  address  to  be  used  by  the  switch)  (required) 

If  you  want  the  switch  to  receive  the  configuration  file  from  a  TFTP  server,  you  must  configure  the 
DHCP  server  with  these  lease  options: 

•  TFTP  server  name  (required) 

•  Boot  filename  (the  name  of  the  configuration  file  that  the  client  needs)  (recommended) 

•  Hostname  (optional) 

Depending  on  the  settings  of  the  DHCP  server,  the  switch  can  receive  IP  address  information,  the 
configuration  file,  or  both. 

If  you  do  not  configure  the  DHCP  server  with  the  lease  options  described  previously,  it  replies  to  client 
requests  with  only  those  parameters  that  are  configured.  If  the  IP  address  and  the  subnet  mask  are  not  in 
the  reply,  the  switch  is  not  configured.  If  the  router  IP  address  or  the  TFTP  server  name  are  not  found, 
the  switch  might  send  broadcast,  instead  of  unicast,  TFTP  requests.  Unavailability  of  other  lease  options 
does  not  affect  autoconfiguration. 
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Configuring  the  TFTP  Server 

Based  on  the  DHCP  server  configuration,  the  switch  attempts  to  download  one  or  more  configuration 
files  from  the  TFTP  server.  If  you  configured  the  DHCP  server  to  respond  to  the  switch  with  all  the 
options  required  for  IP  connectivity  to  the  TFTP  server,  and  if  you  configured  the  DHCP  server  with  a 
TFTP  server  name,  address,  and  configuration  filename,  the  switch  attempts  to  download  the  specified 
configuration  file  from  the  specified  TFTP  server. 

If  you  did  not  specify  the  configuration  filename,  the  TFTP  server,  or  if  the  configuration  file  could  not 
be  downloaded,  the  switch  attempts  to  download  a  configuration  file  by  using  various  combinations  of 
filenames  and  TFTP  server  addresses.  The  files  include  the  specified  configuration  filename  (if  any)  and 
these  files:  network-config,  cisconet.cfg,  hostname .config,  or  hostname. cfg,  where  hostname  is  the 
switch's  current  hostname.  The  TFTP  server  addresses  used  include  the  specified  TFTP  server  address 
(if  any)  and  the  broadcast  address  (255.255.255.255). 

For  the  switch  to  successfully  download  a  configuration  file,  the  TFTP  server  must  contain  one  or  more 
configuration  files  in  its  base  directory.  The  files  can  include  these  files: 

•  The  configuration  file  named  in  the  DHCP  reply  (the  actual  switch  configuration  file). 

•  The  network-confg  or  the  cisconet.cfg  file  (known  as  the  default  configuration  files). 

•  The  router-confg  or  the  ciscortr.cfg  file  (These  files  contain  commands  common  to  all  switches. 
Normally,  if  the  DHCP  and  TFTP  servers  are  properly  configured,  these  files  are  not  accessed.) 

If  you  specify  the  TFTP  server  name  in  the  DHCP  server-lease  database,  you  must  also  configure  the 
TFTP  server  name-to-IP-address  mapping  in  the  DNS-server  database. 

If  the  TFTP  server  to  be  used  is  on  a  different  LAN  from  the  switch,  or  if  it  is  to  be  accessed  by  the 
switch  through  the  broadcast  address  (which  occurs  if  the  DHCP  server  response  does  not  contain  all  the 
required  information  described  previously),  a  relay  must  be  configured  to  forward  the  TFTP  packets  to 
the  TFTP  server.  For  more  information,  see  the  "Configuring  the  Relay  Device"  section  on  page  3-6. 
The  preferred  solution  is  to  configure  the  DHCP  server  with  all  the  required  information. 

Configuring  the  DNS 

The  DHCP  server  uses  the  DNS  server  to  resolve  the  TFTP  server  name  to  an  IP  address.  You  must 
configure  the  TFTP  server  name-to-IP  address  map  on  the  DNS  server.  The  TFTP  server  contains  the 
configuration  files  for  the  switch. 

You  can  configure  the  IP  addresses  of  the  DNS  servers  in  the  lease  database  of  the  DHCP  server  from 
where  the  DHCP  replies  will  retrieve  them.  You  can  enter  up  to  two  DNS  server  IP  addresses  in  the  lease 
database. 

The  DNS  server  can  be  on  the  same  or  on  a  different  LAN  as  the  switch.  If  it  is  on  a  different  LAN,  the 
switch  must  be  able  to  access  it  through  a  router. 

Configuring  the  Relay  Device 

You  must  configure  a  relay  device,  also  referred  to  as  a  relay  agent,  when  a  switch  sends  broadcast 
packets  that  require  a  response  from  a  host  on  a  different  LAN.  Examples  of  broadcast  packets  that  the 
switch  might  send  are  DHCP,  DNS,  and  in  some  cases,  TFTP  packets.  You  must  configure  this  relay 
device  to  forward  received  broadcast  packets  on  an  interface  to  the  destination  host. 

If  the  relay  device  is  a  Cisco  router,  enable  IP  routing  (ip  routing  global  configuration  command),  and 
configure  helper  addresses  by  using  the  ip  helper-address  interface  configuration  command. 
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For  example,  in  Figure  3-2,  configure  the  router  interfaces  as  follows: 
On  interface  10.0.0.2: 

router ( config-if ) #  ip  helper-address  20.0.0.2 

router (config-if) #  ip  helper-address  20.0.0.3 

router ( config-if ) #  ip  helper-address  20.0.0.4 

On  interface  20.0.0.1 

router ( config-if ) #  ip  helper-address  10.0.0.1 


Figure  3-2 


Relay  Device  Used  in  Autoconfiguration 


Switch 
(DHCP  client) 


10.0.0.1 


Cisco  router 
(Relay) 


10.0.0.2 


20.0.0.1 


20.0.0.2 


20.0.0.3 


20.0.0.4 


DHCP  server      TFTP  server 


DNS  server 


Obtaining  Configuration  Files 

Depending  on  the  availability  of  the  IP  address  and  the  configuration  filename  in  the  DHCP  reserved 
lease,  the  switch  obtains  its  configuration  information  in  these  ways: 

•  The  IP  address  and  the  configuration  filename  is  reserved  for  the  switch  and  provided  in  the  DHCP 
reply  (one-file  read  method). 

The  switch  receives  its  IP  address,  subnet  mask,  TFTP  server  address,  and  the  configuration 
filename  from  the  DHCP  server.  The  switch  sends  a  unicast  message  to  the  TFTP  server  to  retrieve 
the  named  configuration  file  from  the  base  directory  of  the  server  and  upon  receipt,  it  completes  its 
bootup  process. 

•  The  IP  address  and  the  configuration  filename  is  reserved  for  the  switch,  but  the  TFTP  server 
address  is  not  provided  in  the  DHCP  reply  (one-file  read  method). 

The  switch  receives  its  IP  address,  subnet  mask,  and  the  configuration  filename  from  the  DHCP 
server.  The  switch  sends  a  broadcast  message  to  a  TFTP  server  to  retrieve  the  named  configuration 
file  from  the  base  directory  of  the  server,  and  upon  receipt,  it  completes  its  bootup  process. 

•  Only  the  IP  address  is  reserved  for  the  switch  and  provided  in  the  DHCP  reply.  The  configuration 
filename  is  not  provided  (two-file  read  method). 

The  switch  receives  its  IP  address,  subnet  mask,  and  the  TFTP  server  address  from  the  DHCP  server. 
The  switch  sends  a  unicast  message  to  the  TFTP  server  to  retrieve  the  network-confg  or  cisconet.cfg 
default  configuration  file.  (If  the  network-confg  file  cannot  be  read,  the  switch  reads  the  cisconet.cfg 
file.) 
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The  default  configuration  file  contains  the  hostnames-to-IP-address  mapping  for  the  switch.  The 
switch  fills  its  host  table  with  the  information  in  the  file  and  obtains  its  hostname.  If  the  hostname 
is  not  found  in  the  file,  the  switch  uses  the  hostname  in  the  DHCP  reply.  If  the  hostname  is  not 
specified  in  the  DHCP  reply,  the  switch  uses  the  default  Switch  as  its  hostname. 

After  obtaining  its  hostname  from  the  default  configuration  file  or  the  DHCP  reply,  the  switch  reads 
the  configuration  file  that  has  the  same  name  as  its  hostname  (hostname-confg  or  hostname. cfg, 
depending  on  whether  network-confg  or  cisconet.cfg  was  read  earlier)  from  the  TFTP  server.  If  the 
cisconet.cfg  file  is  read,  the  filename  of  the  host  is  truncated  to  eight  characters. 

If  the  switch  cannot  read  the  network-confg,  cisconet.cfg,  or  the  hostname  file,  it  reads  the 
router-confg  file.  If  the  switch  cannot  read  the  router-confg  file,  it  reads  the  ciscortr.cfg  file. 

%   

Note      The  switch  broadcasts  TFTP  server  requests  if  the  TFTP  server  is  not  obtained  from  the  DHCP  replies, 

if  all  attempts  to  read  the  configuration  file  through  unicast  transmissions  fail,  or  if  the  TFTP  server 

name  cannot  be  resolved  to  an  IP  address. 


Example  Configuration 

Figure  3-3  shows  a  sample  network  for  retrieving  IP  information  by  using  DHCP-based  autoconfiguration. 


Figure  3-3  DHCP-Based  Autoconfiguration  Network  Example 


Switch  1  Switch  2  Switch  3  Switch  4 

00e0.9f1e.2001    00e0.9f1e.2002    00e0.9f1e.2003  00e0.9f1e.2004 


Cisco  router 

110.0.0.10 


10.0.0.1 


10.0.0.2 


10.0.0.3 


DHCP  server       DNS  server       TFTP  server  2 

(tftpserver)  - 


Table  3-2  shows  the  configuration  of  the  reserved  leases  on  the  DHCP  server. 


Table  3-2  DHCP  Server  Configuration 


Switch  A 

Switch  B 

Switch  C 

Switch  D 

Binding  key  (hardware  address) 

00e0.9fle.2001 

00e0.9fle.2002 

00e0.9fle.2003 

00e0.9fle.2004 

IP  address 

10.0.0.21 

10.0.0.22 

10.0.0.23 

10.0.0.24 

Subnet  mask 

255.255.255.0 

255.255.255.0 

255.255.255.0 

255.255.255.0 

Router  address 

10.0.0.10 

10.0.0.10 

10.0.0.10 

10.0.0.10 

DNS  server  address 

10.0.0.2 

10.0.0.2 

10.0.0.2 

10.0.0.2 

TFTP  server  name 

tftpserver  or 
10.0.0.3 

tftpserver  or 
10.0.0.3 

tftpserver  or 
10.0.0.3 

tftpserver  or 
10.0.0.3 
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Table  3-2  DHCP  Server  Configuration  (continued) 


Switch  A 

Switch  B 

Switch  C 

Switch  D 

Boot  filename  (configuration  file) 
(optional) 

switcha-confg 

switchb-confg 

switchc-confg 

switchd-confg 

Hostname  (optional) 

switcha 

switchb 

switchc 

switchd 

DNS  Server  Configuration 

The  DNS  server  maps  the  TFTP  server  name  tftpserver  to  IP  address  10.0.0.3. 
TFTP  Server  Configuration  (on  UNIX) 

The  TFTP  server  base  directory  is  set  to  /tftpserver/work/.  This  directory  contains  the  network-confg  file 
used  in  the  two-file  read  method.  This  file  contains  the  hostname  to  be  assigned  to  the  switch  based  on 
its  IP  address.  The  base  directory  also  contains  a  configuration  file  for  each  switch  {switcha-confg, 
switchb-confg,  and  so  forth)  as  shown  in  this  display: 

prompt>  cd  /tftpserver/work/ 

prompt>  Is 

network-confg 

switcha-confg 

switchb-confg 

switchc-confg 

switchd-confg 

prompt>  cat  network-confg 

ip  host  switcha  10.0.0.21 

ip  host  switchb  10.0.0.22 

ip  host  switchc  10.0.0.23 

ip  host  switchd  10.0.0.24 

DHCP  Client  Configuration 

No  configuration  file  is  present  on  Switch  A  through  Switch  D. 
Configuration  Explanation 

In  Figure  3-3,  Switch  A  reads  its  configuration  file  as  follows: 

•  It  obtains  its  IP  address  10.0.0.21  from  the  DHCP  server. 

•  If  no  configuration  filename  is  given  in  the  DHCP  server  reply,  Switch  A  reads  the  network-confg 
file  from  the  base  directory  of  the  TFTP  server. 

•  It  adds  the  contents  of  the  network-confg  file  to  its  host  table. 

•  It  reads  its  host  table  by  indexing  its  IP  address  10.0.0.21  to  its  hostname  (switcha). 

•  It  reads  the  configuration  file  that  corresponds  to  its  hostname;  for  example,  it  reads  switchl-confg 
from  the  TFTP  server. 

Switches  B  through  D  retrieve  their  configuration  files  and  IP  addresses  in  the  same  way. 
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Manually  Assigning  IP  Information 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  manually  assign  IP  information  to  multiple 
switched  virtual  interfaces  (SVIs): 


Step  1 
Step  2 

Step  3 
Step  4 
Step  5 


Step  6 
Step  7 
Step  8 
Step  9 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  vlan  vlan-id 

Enter  interface  configuration  mode,  and  enter  the  VLAN  to  which  the  IP 
information  is  assigned.  The  VLAN  range  is  1  to  4094. 

ip  address  ip-address  subnet-mask 

Enter  the  IP  address  and  subnet  mask. 

exit 

Return  to  global  configuration  mode. 

ip  default-gateway  ip-address 

Enter  the  IP  address  of  the  next-hop  router  interface  that  is  directly 
connected  to  the  switch  where  a  default  gateway  is  being  configured.  The 
default  gateway  receives  IP  packets  with  unresolved  destination  IP 
addresses  from  the  switch. 

Once  the  default  gateway  is  configured,  the  switch  has  connectivity  to  the 
remote  networks  with  which  a  host  needs  to  communicate. 

Note     When  your  switch  is  configured  to  route  with  IP,  it  does  not  need 
to  have  a  default  gateway  set. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  vlan  vlan-id 

Verify  the  configured  IP  address. 

show  ip  redirects 

Verify  the  configured  default  gateway. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  the  switch  IP  address,  use  the  no  ip  address  interface  configuration  command.  If  you  are 
removing  the  address  through  a  Telnet  session,  your  connection  to  the  switch  will  be  lost.  To  remove  the 
default  gateway  address,  use  the  no  ip  default-gateway  global  configuration  command. 

All  VLAN  interfaces  have  assigned  MAC  addresses  that  are  derived  from  the  base  MAC  address.  The 
base  MAC  address  is  the  hardware  address  that  is  on  the  switch  label.  It  also  appears  when  you  enter  the 
show  version  privileged  EXEC  command. 

On  the  first  VLAN  interface  (VLAN  1),  the  MAC  address  is  the  base  MAC  address  +  0  x  40.  On  the  next 
VLAN  interface  that  you  configure,  the  MAC  address  is  the  base  MAC  address  +  0  x  40  +1,  and  so  on 
for  other  VLAN  interfaces. 

You  can  enter  the  show  interfaces  vlan  vlan-id  privileged  EXEC  command  to  show  the  MAC  and 
IP  addresses.  The  MAC  addresses  that  appear  in  the  show  interfaces  vlan  vlan-id  command  output  are 
not  the  same  as  the  MAC  address  that  is  printed  on  the  switch  label  (the  base  MAC  address). 

By  default,  VLAN  1  is  the  interface  that  connects  to  the  management  network.  When  the  switch  boots 
up,  the  DHCP  client  (switch)  requests  an  IP  address  from  a  DHCP  server  by  using  the  MAC  address  of 
VLAN  1. 

For  information  on  setting  the  switch  system  name,  protecting  access  to  privileged  EXEC  commands, 
and  setting  time  and  calendar  services,  see  Chapter  4,  'Administering  the  Switch." 
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Checking  and  Saving  the  Running  Configuration 

You  can  check  the  configuration  settings  that  you  entered  or  changes  that  you  made  by  entering  this 
privileged  EXEC  command: 

Switch#  show  running-conf ig 

Building  configuration. . . 

Current  configuration  :   1833  bytes 

I 

version  12 . 2 
no  service  pad 

service  timestamps  debug  uptime 
service  timestamps  log  uptime 
no  service  pas sword- encrypt ion 
i 
I 

no  aaa  new-model 
ip  subnet-zero 
i 

no   file  verify  auto 
i 

spanning-tree  mode  pvst 
spanning-tree  extend  system-id 
i 

vlan  internal  allocation  policy  ascending 
I 

interface  GigabitEthernetO/1 
switchport  trunk  encapsulation  dotlq 
switchport  mode  trunk 
speed  1000 

spanning-tree  portfast 

I 

interface  GigabitEthernetO/2 
switchport  access  vlan  2 
speed  1000 

storm-control  unicast  level  50.00 
storm-control  action  shutdown 
spanning-tree  portfast 

i 

<output  truncated> 
i 

interface  Vlanl 
ip  address  192.168.100.21  255.255.255.0 
no  ip  route-cache 

i 

ip  http  server 

ip  http  secure-server 

I 

control -plane 

i 

I 

line  con  0 

exec-timeout  0  0 
line  vty  0  4 

no  login 
line  vty  5  15 

no  login 

I 

end 
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To  store  the  configuration  or  changes  you  have  made  to  your  startup  configuration  in  flash  memory, 
enter  this  privileged  EXEC  command: 

Switch#  copy  running-conf ig  startup-conf ig 

Destination  filename   [startup-conf ig] ? 
Building  configuration... 

This  command  saves  the  configuration  settings  that  you  made.  If  you  fail  to  do  this,  your  configuration 
will  be  lost  the  next  time  you  reload  the  system.  To  display  information  stored  in  the  NVRAM  section 
of  flash  memory,  use  the  show  startup-config  or  more  startup-config  privileged  EXEC  command. 

For  more  information  about  alternative  locations  from  which  to  copy  the  configuration  file,  see 
Appendix  B,  "Working  with  the  Cisco  10S  File  System,  Configuration  Files,  and  Software  Images." 

Modifying  the  Startup  Configuration 

These  sections  describe  how  to  modify  the  switch  startup  configuration: 

•  Default  Bootup  Configuration,  page  3-12 

•  Automatically  Downloading  a  Configuration  File,  page  3-13 

•  Booting  Up  Manually,  page  3-13 

•  Booting  Up  a  Specific  Software  Image,  page  3-14 

•  Controlling  Environment  Variables,  page  3-15 

See  also  Appendix  B,  "Working  with  the  Cisco  IOS  File  System,  Configuration  Files,  and  Software 
Images,"  for  information  about  switch  configuration  files. 

Default  Bootup  Configuration 

Table  3-3  shows  the  default  bootup  configuration. 


Table  3-3  Default  Bootup  Configuration 


Feature 

Default  Setting 

Operating  system  software  image 

The  switch  attempts  to  automatically  boot  up  the  system  using  information  in  the 
BOOT  environment  variable.  If  the  variable  is  not  set,  the  switch  attempts  to  load  and 
execute  the  first  executable  image  it  can  by  performing  a  recursive,  depth-first  search 
throughout  the  flash  file  system. 

The  Cisco  IOS  image  is  stored  in  a  directory  that  has  the  same  name  as  the  image  file 
(excluding  the  .bin  extension). 

In  a  depth-first  search  of  a  directory,  each  encountered  subdirectory  is  completely 
searched  before  continuing  the  search  in  the  original  directory. 

Configuration  file 

Configured  switches  use  the  config.text  file  stored  on  the  system  board  in  flash 
memory. 

A  new  switch  has  no  configuration  file. 
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Automatically  Downloading  a  Configuration  File 

You  can  automatically  download  a  configuration  file  to  your  switch  by  using  the  DHCP-based 
autoconfiguration  feature.  For  more  information,  see  the  "Understanding  DHCP-Based 
Autoconfiguration"  section  on  page  3-3. 


Specifying  the  Filename  to  Read  and  Write  the  System  Configuration 

By  default,  the  Cisco  IOS  software  uses  the  file  config.text  to  read  and  write  a  nonvolatile  copy  of  the 
system  configuration.  However,  you  can  specify  a  different  filename,  which  will  be  loaded  during  the 
next  bootup  cycle. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  specify  a  different  configuration  filename: 


Step  2 


Step  3 
Step  4 


Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

boot  config-file  flash:/file-url 

Specify  the  configuration  file  to  load  during  the  next  bootup  cycle. 

For  file-url,  specify  the  path  (directory)  and  the  configuration 
filename. 

Filenames  and  directory  names  are  case  sensitive. 

end 

Return  to  privileged  EXEC  mode. 

show  boot 

Verify  your  entries. 

The  boot  config-file  global  configuration  command  changes  the 
setting  of  the  CONFIG_FILE  environment  variable. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  boot  config-file  global  configuration  command. 


Booting  Up  Manually 

By  default,  the  switch  automatically  boots  up;  however,  you  can  configure  it  to  manually  boot  up. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  to  manually  boot  up 
during  the  next  bootup  cycle: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

boot  manual 

Enable  the  switch  to  manually  boot  up  during  the  next  bootup  cycle. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 
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Command 

Purpose 

Step  4 

show  boot 

Verify  your  entries. 

The  boot  manual  global  command  changes  the  setting  of  the 
MANUAL_BOOT  environment  variable. 

The  next  time  you  reboot  the  system,  the  switch  is  in  bootloader 
mode,  shown  by  the  switch:  prompt.  To  boot  up  the  system,  use  the 
boot  fdesystem:lfile-url  bootloader  command. 

•  For  file system:,  use  flash:  for  the  system  board  flash  device. 

•  For  file-url,  specify  the  path  (directory)  and  the  name  of  the 
bootable  image. 

Filenames  and  directory  names  are  case  sensitive. 

Step  5 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  manual  booting  up,  use  the  no  boot  manual  global  configuration  command. 


Booting  Up  a  Specific  Software  Image 

By  default,  the  switch  attempts  to  automatically  boot  up  the  system  using  information  in  the  BOOT 
environment  variable.  If  this  variable  is  not  set,  the  switch  attempts  to  load  and  execute  the  first 
executable  image  it  can  by  performing  a  recursive,  depth-first  search  throughout  the  flash  file  system. 
In  a  depth-first  search  of  a  directory,  each  encountered  subdirectory  is  completely  searched  before 
continuing  the  search  in  the  original  directory.  However,  you  can  specify  a  specific  image  with  which 
to  boot  up  the  switch. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  to  boot  up  a  specific 
image  during  the  next  bootup  cycle: 


Step  1 
Step  2 


Step  3 
Step  4 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

boot  system  filesy stem:/ file-url 

Configure  the  switch  to  boot  up  a  specific  image  in  flash  memory  during 
the  next  bootup  cycle. 

•  For  filesystem:,  use  flash:  for  the  system  board  flash  device. 

•  For  file-url,  specify  the  path  (directory)  and  the  name  of  the  bootable 
image. 

Filenames  and  directory  names  are  case  sensitive. 

end 

Return  to  privileged  EXEC  mode. 

show  boot 

Verify  your  entries. 

The  boot  system  global  command  changes  the  setting  of  the  BOOT 
environment  variable. 

During  the  next  bootup  cycle,  the  switch  attempts  to  automatically  boot  up 
the  system  using  information  in  the  BOOT  environment  variable. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  5 


To  return  to  the  default  setting,  use  the  no  boot  system  global  configuration  command. 
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Controlling  Environment  Variables 

With  a  normally  operating  switch,  you  enter  the  boot  loader  mode  only  through  a  switch  console 
connection  configured  for  9600  bps.  Unplug  the  switch  power  cord,  and  press  the  switch  Mode  button 
while  reconnecting  the  power  cord.  You  can  release  the  Mode  button  a  second  or  two  after  the  LED 
above  port  1  turns  off.  Then  the  boot  loader  switch:  prompt  appears. 

The  switch  bootloader  software  provides  support  for  nonvolatile  environment  variables,  which  can  be 
used  to  control  how  the  bootloader,  or  any  other  software  running  on  the  system,  behaves,  bootloader 
environment  variables  are  similar  to  environment  variables  that  can  be  set  on  UNIX  or  DOS  systems. 

Environment  variables  that  have  values  are  stored  in  flash  memory  outside  of  the  flash  file  system. 

Each  line  in  these  files  contains  an  environment  variable  name  and  an  equal  sign  followed  by  the  value 
of  the  variable.  A  variable  has  no  value  if  it  is  not  listed  in  this  file;  it  has  a  value  if  it  is  listed  in  the  file 
even  if  the  value  is  a  null  string.  A  variable  that  is  set  to  a  null  string  (for  example,  "  ")  is  a  variable  with 
a  value.  Many  environment  variables  are  predefined  and  have  default  values. 

Environment  variables  store  two  kinds  of  data: 

•  Data  that  controls  code,  which  does  not  read  the  Cisco  IOS  configuration  file.  For  example,  the 
name  of  a  bootloader  helper  file,  which  extends  or  patches  the  functionality  of  the  bootloader  can 
be  stored  as  an  environment  variable. 

•  Data  that  controls  code,  which  is  responsible  for  reading  the  Cisco  IOS  configuration  file.  For 
example,  the  name  of  the  Cisco  IOS  configuration  file  can  be  stored  as  an  environment  variable. 

You  can  change  the  settings  of  the  environment  variables  by  accessing  the  bootloader  or  by  using  Cisco 
IOS  commands.  Under  normal  circumstances,  it  is  not  necessary  to  alter  the  setting  of  the  environment 
variables. 

%   

Note      For  complete  syntax  and  usage  information  for  the  bootloader  commands  and  environment  variables,  see 
the  command  reference  for  this  release. 
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Table  3-4  describes  the  function  of  the  most  common  environment  variables. 


Table  3-4  Environment  Variables 


Variable 

Bootloader  Command 

Cisco  IOS  Global  Configuration  Command 

BOOT 

set  BOOT  filesystem:lfile-url ... 

boot  system  filesystem:/file-url ... 

A  semicolon-separated  list  of  executable  files  to 
try  to  load  and  execute  when  automatically 
booting  up  the  switch.  If  the  BOOT  environment 
variable  is  not  set,  the  system  attempts  to  load 
and  execute  the  first  executable  image  it  can  find 
by  using  a  recursive,  depth-first  search  through 
the  flash  file  system.  If  the  BOOT  variable  is  set 
but  the  specified  images  cannot  be  loaded,  the 
system  attempts  to  boot  up  the  first  bootable  file 
that  it  can  find  in  the  flash  file  system. 

Specifies  the  Cisco  IOS  image  to  load  during  the 
next  bootup  cycle.  This  command  changes  the 
setting  of  the  BOOT  environment  variable. 

M  ANUAL_B  OOT 

set  MANUAL_BOOT  yes 

boot  manual 

Decides  whether  the  switch  automatically  or 
manually  boots  up. 

Valid  values  are  1 ,  yes,  0,  and  no.  If  it  is  set  to  no 
or  0,  the  bootloader  attempts  to  automatically 
boot  up  the  system.  If  it  is  set  to  anything  else, 
you  must  manually  boot  up  the  switch  from  the 
bootloader  mode. 

Enables  manually  booting  up  the  switch  during 
the  next  bootup  cycle  and  changes  the  setting  of 
the  MANUAL_BOOT  environment  variable. 

The  next  time  you  reboot  the  system,  the  switch  is 
in  bootloader  mode.  To  boot  up  the  system,  use 
the  boot  flash:filesystem:/file-url  bootloader 
command,  and  specify  the  name  of  the  bootable 
image. 

CONFIG_FILE 

set  CONFIG_FILE  flash:/ file -url 

boot  config-flle  tlash:/fde-url 

Changes  the  filename  that  Cisco  IOS  uses  to  read 
and  write  a  nonvolatile  copy  of  the  system 
configuration. 

Specifies  the  filename  that  Cisco  IOS  uses  to  read 
and  write  a  nonvolatile  copy  of  the  system 
configuration.  This  command  changes  the 
CONFIG_FILE  environment  variable. 

Scheduling  a  Reload  of  the  Software  Image 

You  can  schedule  a  reload  of  the  software  image  to  occur  on  the  switch  at  a  later  time  (for  example,  late 
at  night  or  during  the  weekend  when  the  switch  is  used  less),  or  you  can  synchronize  a  reload 
network-wide  (for  example,  to  perform  a  software  upgrade  on  all  switches  in  the  network). 

X   

Note      A  scheduled  reload  must  take  place  within  approximately  24  days. 
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Configuring  a  Scheduled  Reload 

To  configure  your  switch  to  reload  the  software  image  at  a  later  time,  use  one  of  these  commands  in 
privileged  EXEC  mode: 

•  reload  in  [hh:]mm  [text] 

This  command  schedules  a  reload  of  the  software  to  take  affect  in  the  specified  minutes  or  hours  and 
minutes.  The  reload  must  take  place  within  approximately  24  days.  You  can  specify  the  reason  for 
the  reload  in  a  string  up  to  255  characters  in  length. 

•  reload  at  hh:mm  [month  day  I  day  month]  [text] 

This  command  schedules  a  reload  of  the  software  to  take  place  at  the  specified  time  (using  a  24-hour 
clock).  If  you  specify  the  month  and  day,  the  reload  is  scheduled  to  take  place  at  the  specified  time 
and  date.  If  you  do  not  specify  the  month  and  day,  the  reload  takes  place  at  the  specified  time  on  the 
current  day  (if  the  specified  time  is  later  than  the  current  time)  or  on  the  next  day  (if  the  specified 
time  is  earlier  than  the  current  time).  Specifying  00:00  schedules  the  reload  for  midnight. 

X   

Note     Use  the  at  keyword  only  if  the  switch  system  clock  has  been  set  (through  Network  Time 
Protocol  (NTP),  the  hardware  calendar,  or  manually).  The  time  is  relative  to  the  configured 
time  zone  on  the  switch.  To  schedule  reloads  across  several  switches  to  occur 
simultaneously,  the  time  on  each  switch  must  be  synchronized  with  NTP. 


The  reload  command  halts  the  system.  If  the  system  is  not  set  to  manually  boot  up,  it  reboots  itself.  Use 
the  reload  command  after  you  save  the  switch  configuration  information  to  the  startup  configuration 
(copy  running-config  startup-config). 

If  your  switch  is  configured  for  manual  booting  up,  do  not  reload  it  from  a  virtual  terminal.  This 
restriction  prevents  the  switch  from  entering  the  bootloader  mode  and  thereby  taking  it  from  the  remote 
user's  control. 

If  you  modify  your  configuration  file,  the  switch  prompts  you  to  save  the  configuration  before  reloading. 
During  the  save  operation,  the  system  requests  whether  you  want  to  proceed  with  the  save  if  the 
CONFIG_FILE  environment  variable  points  to  a  startup  configuration  file  that  no  longer  exists.  If  you 
proceed  in  this  situation,  the  system  enters  setup  mode  upon  reload. 

This  example  shows  how  to  reload  the  software  on  the  switch  on  the  current  day  at  7:30  p.m: 

Switch*  reload  at  19:30 

Reload  scheduled  for  19:30:00  UTC  Wed  Jun  5   1996    (in  2  hours  and  25  minutes) 
Proceed  with  reload?  [confirm] 

This  example  shows  how  to  reload  the  software  on  the  switch  at  a  future  time: 

Switch*  reload  at  02:00  jun  20 

Reload  scheduled  for  02:00:00  UTC  Thu  Jun  20   1996    (in  344  hours  and  53  minutes) 
Proceed  with  reload?  [confirm] 

To  cancel  a  previously  scheduled  reload,  use  the  reload  cancel  privileged  EXEC  command. 
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Displaying  Scheduled  Reload  Information 

To  display  information  about  a  previously  scheduled  reload  or  to  find  out  if  a  reload  has  been  scheduled 
on  the  switch,  use  the  show  reload  privileged  EXEC  command. 

It  displays  reload  information  including  the  time  the  reload  is  scheduled  to  occur  and  the  reason  for  the 
reload  (if  it  was  specified  when  the  reload  was  scheduled). 
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Administering  the  Switch 


This  chapter  describes  how  to  perform  one-time  operations  to  administer  the  switch. 
This  chapter  consists  of  these  sections: 

•  Managing  the  System  Time  and  Date,  page  4-1 

•  Configuring  a  System  Name  and  Prompt,  page  4-14 

•  Creating  a  Banner,  page  4-17 

•  Managing  the  MAC  Address  Table,  page  4-19 

•  Managing  the  ARP  Table,  page  4-26 

Managing  the  System  Time  and  Date 

You  can  manage  the  system  time  and  date  on  your  switch  using  automatic  configuration,  such  as  the 
Network  Time  Protocol  (NTP),  or  manual  configuration  methods. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  Cisco  IOS 
Configuration  Fundamentals  Command  Reference,  Release  12.2. 

These  sections  contain  this  configuration  information: 

•  Understanding  the  System  Clock,  page  4-1 

•  Understanding  Network  Time  Protocol,  page  4-2 

•  Configuring  NTP,  page  4-3 

•  Configuring  Time  and  Date  Manually,  page  4-11 

Understanding  the  System  Clock 

The  heart  of  the  time  service  is  the  system  clock.  This  clock  runs  from  the  moment  the  system  starts  up 
and  keeps  track  of  the  date  and  time. 

The  system  clock  can  then  be  set  from  these  sources: 

•  NTP 

•  Manual  configuration 
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The  system  clock  can  provide  time  to  these  services: 

•  User  show  commands 

•  Logging  and  debugging  messages 

The  system  clock  keeps  track  of  time  internally  based  on  Universal  Time  Coordinated  (UTC),  also 
known  as  Greenwich  Mean  Time  (GMT).  You  can  configure  information  about  the  local  time  zone  and 
summer  time  (daylight  saving  time)  so  that  the  time  appears  correctly  for  the  local  time  zone. 

The  system  clock  keeps  track  of  whether  the  time  is  authoritative  or  not  (that  is,  whether  it  has  been  set 
by  a  time  source  considered  to  be  authoritative).  If  it  is  not  authoritative,  the  time  is  available  only  for 
display  purposes  and  is  not  redistributed.  For  configuration  information,  see  the  "Configuring  Time  and 
Date  Manually"  section  on  page  4-11. 

Understanding  Network  Time  Protocol 

The  NTP  is  designed  to  time-synchronize  a  network  of  devices.  NTP  runs  over  User  Datagram  Protocol 
(UDP),  which  runs  over  IP.  NTP  is  documented  in  RFC  1305. 

An  NTP  network  usually  gets  its  time  from  an  authoritative  time  source,  such  as  a  radio  clock  or  an 
atomic  clock  attached  to  a  time  server.  NTP  then  distributes  this  time  across  the  network.  NTP  is 
extremely  efficient;  no  more  than  one  packet  per  minute  is  necessary  to  synchronize  two  devices  to 
within  a  millisecond  of  one  another. 

NTP  uses  the  concept  of  a  stratum  to  describe  how  many  NTP  hops  away  a  device  is  from  an 
authoritative  time  source.  A  stratum  1  time  server  has  a  radio  or  atomic  clock  directly  attached,  a 
stratum  2  time  server  receives  its  time  through  NTP  from  a  stratum  1  time  server,  and  so  on.  A  device 
running  NTP  automatically  chooses  as  its  time  source  the  device  with  the  lowest  stratum  number  with 
which  it  communicates  through  NTP.  This  strategy  effectively  builds  a  self-organizing  tree  of  NTP 
speakers. 

NTP  avoids  synchronizing  to  a  device  whose  time  might  not  be  accurate  by  never  synchronizing  to  a 
device  that  is  not  synchronized.  NTP  also  compares  the  time  reported  by  several  devices  and  does  not 
synchronize  to  a  device  whose  time  is  significantly  different  than  the  others,  even  if  its  stratum  is  lower. 

The  communications  between  devices  running  NTP  (known  as  associations)  are  usually  statically 
configured;  each  device  is  given  the  IP  address  of  all  devices  with  which  it  should  form  associations. 
Accurate  timekeeping  is  possible  by  exchanging  NTP  messages  between  each  pair  of  devices  with  an 
association.  However,  in  a  LAN  environment,  NTP  can  be  configured  to  use  IP  broadcast  messages 
instead.  This  alternative  reduces  configuration  complexity  because  each  device  can  simply  be 
configured  to  send  or  receive  broadcast  messages.  However,  in  that  case,  information  flow  is  one-way 
only. 

The  time  kept  on  a  device  is  a  critical  resource;  you  should  use  the  security  features  of  NTP  to  avoid  the 
accidental  or  malicious  setting  of  an  incorrect  time.  Two  mechanisms  are  available:  an  access  list-based 
restriction  scheme  and  an  encrypted  authentication  mechanism. 

Cisco's  implementation  of  NTP  does  not  support  stratum  1  service;  it  is  not  possible  to  connect  to  a  radio 
or  atomic  clock.  We  recommend  that  the  time  service  for  your  network  be  derived  from  the  public  NTP 
servers  available  on  the  IP  Internet. 
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Figure  4-1  shows  a  typical  network  example  using  NTP.  Switch  A  is  the  NTP  master,  with  Switches  B, 
C,  and  D  configured  in  NTP  server  mode,  in  server  association  with  Switch  A.  Switch  E  is  configured 
as  an  NTP  peer  to  the  upstream  and  downstream  switches,  Switch  B  and  Switch  F. 


Figure  4-1  Typical  NTP  Network  Configuration 


Switch  D 


If  the  network  is  isolated  from  the  Internet,  Cisco's  implementation  of  NTP  allows  a  device  to  act  as  if 
it  is  synchronized  through  NTP,  when  in  fact  it  has  learned  the  time  by  using  other  means.  Other  devices 
then  synchronize  to  that  device  through  NTP. 

When  multiple  sources  of  time  are  available,  NTP  is  always  considered  to  be  more  authoritative.  NTP 
time  overrides  the  time  set  by  any  other  method. 

Several  manufacturers  include  NTP  software  for  their  host  systems,  and  a  publicly  available  version  for 
systems  running  UNIX  and  its  various  derivatives  is  also  available.  This  software  allows  host  systems 
to  be  time-synchronized  as  well. 

Configuring  NTP 

The  switch  does  not  have  a  hardware-supported  clock  and  cannot  function  as  an  NTP  master  clock  to 
which  peers  synchronize  themselves  when  an  external  NTP  source  is  not  available.  The  switch  also  has 
no  hardware  support  for  a  calendar.  As  a  result,  the  ntp  update-calendar  and  the  ntp  master  global 
configuration  commands  are  not  available. 
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These  sections  contain  this  configuration  information: 

•  Default  NTP  Configuration,  page  4-4 

•  Configuring  NTP  Authentication,  page  4-4 

•  Configuring  NTP  Associations,  page  4-5 

•  Configuring  NTP  Broadcast  Service,  page  4-6 

•  Configuring  NTP  Access  Restrictions,  page  4-8 

•  Configuring  the  Source  IP  Address  for  NTP  Packets,  page  4-10 

•  Displaying  the  NTP  Configuration,  page  4-11 

Default  NTP  Configuration 


Table  4-1  shows  the  default  NTP  configuration. 
Table  4- 1  Default  NTP  Configuration 


Feature 

Default  Setting 

NTP  authentication 

Disabled.  No  authentication  key  is  specified. 

NTP  peer  or  server  associations 

None  configured. 

NTP  broadcast  service 

Disabled;  no  interface  sends  or  receives  NTP  broadcast  packets. 

NTP  access  restrictions 

No  access  control  is  specified. 

NTP  packet  source  IP  address 

The  source  address  is  set  by  the  outgoing  interface. 

NTP  is  enabled  on  all  interfaces  by  default.  All  interfaces  receive  NTP  packets. 


Configuring  NTP  Authentication 

This  procedure  must  be  coordinated  with  the  administrator  of  the  NTP  server;  the  information  you 
configure  in  this  procedure  must  be  matched  by  the  servers  used  by  the  switch  to  synchronize  its  time  to 
the  NTP  server. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  authenticate  the  associations  (communications 
between  devices  running  NTP  that  provide  for  accurate  timekeeping)  with  other  devices  for  security 
purposes: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

ntp  authenticate 

Enable  the  NTP  authentication  feature,  which  is  disabled  by 

default. 
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Step  3 


Step  4 


Step  5 
Step  6 
Step  7 


Command 

Purpose 

ntp  authentication-key  number  mclS  value 

Define  the  authentication  keys.  By  default,  none  are  defined. 

•  For  number,  specify  a  key  number.  The  range  is  1  to 
4294967295. 

•  md5  specifies  that  message  authentication  support  is  provided 
by  using  the  message  digest  algorithm  5  (MD5). 

•  For  value,  enter  an  arbitrary  string  of  up  to  eight  characters  for 
the  key. 

The  switch  does  not  synchronize  to  a  device  unless  both  have  one 
of  these  authentication  keys,  and  the  key  number  is  specified  by  the 
ntp  trusted-key  key-number  command. 

ntp  trusted-key  key-number 

Specify  one  or  more  key  numbers  (defined  in  Step  3)  that  a  peer 
NTP  device  must  provide  in  its  NTP  packets  for  this  switch  to 
synchronize  to  it. 

By  default,  no  trusted  keys  are  defined. 

For  key-number,  specify  the  key  defined  in  Step  3. 

This  command  provides  protection  against  accidentally 
synchronizing  the  switch  to  a  device  that  is  not  trusted. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  NTP  authentication,  use  the  no  ntp  authenticate  global  configuration  command.  To  remove 
an  authentication  key,  use  the  no  ntp  authentication-key  number  global  configuration  command.  To 
disable  authentication  of  the  identity  of  a  device,  use  the  no  ntp  trusted-key  key-number  global 
configuration  command. 

This  example  shows  how  to  configure  the  switch  to  synchronize  only  to  devices  providing  authentication 
key  42  in  the  device's  NTP  packets: 

Switch ( config) #  ntp  authenticate 

Switch (config) #  ntp  authentication-key  42  md5  aNiceKey 
Switch (config) #  ntp  trusted-key  42 


Configuring  NTP  Associations 

An  NTP  association  can  be  a  peer  association  (this  switch  can  either  synchronize  to  the  other  device  or 
allow  the  other  device  to  synchronize  to  it),  or  it  can  be  a  server  association  (meaning  that  only  this 
switch  synchronizes  to  the  other  device,  and  not  the  other  way  around). 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  form  an  NTP  association  with  another  device: 


Command 


Purpose 


Step  1      configure  terminal 


Enter  global  configuration  mode. 


Step  3 
Step  4 


Step  2     ntp  peer  ip-address  [version  number] 
[key  keyid]  [source  interface]  [prefer] 


ntp  server  ip-address  [version  number] 
[key  keyid]  [source  interface]  [prefer] 


end 


Configure  the  switch  system  clock  to  synchronize  a  peer  or  to  be 
synchronized  by  a  peer  (peer  association). 


Configure  the  switch  system  clock  to  be  synchronized  by  a  time  server 
(server  association). 

No  peer  or  server  associations  are  defined  by  default. 

•  For  ip-address  in  a  peer  association,  specify  either  the  IP  address  of 
the  peer  providing,  or  being  provided,  the  clock  synchronization.  For 
a  server  association,  specify  the  IP  address  of  the  time  server 
providing  the  clock  synchronization. 

•  (Optional)  For  number,  specify  the  NTP  version  number.  The  range 
is  1  to  3.  By  default,  Version  3  is  selected. 

•  (Optional)  For  keyid,  enter  the  authentication  key  defined  with  the 
ntp  authentication-key  global  configuration  command. 

•  (Optional)  For  interface,  specify  the  interface  from  which  to  pick  the 
IP  source  address.  By  default,  the  source  IP  address  is  taken  from  the 
outgoing  interface. 

•  (Optional)  Enter  the  prefer  keyword  to  make  this  peer  or  server  the 
preferred  one  that  provides  synchronization.  This  keyword  reduces 
switching  back  and  forth  between  peers  and  servers. 

Return  to  privileged  EXEC  mode. 


show  running-config 


Verify  your  entries. 


Step  5     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


You  need  to  configure  only  one  end  of  an  association;  the  other  device  can  automatically  establish  the 
association.  If  you  are  using  the  default  NTP  version  (Version  3)  and  NTP  synchronization  does  not 
occur,  try  using  NTP  Version  2.  Many  NTP  servers  on  the  Internet  run  Version  2. 

To  remove  a  peer  or  server  association,  use  the  no  ntp  peer  ip-address  or  the  no  ntp  server  ip-address 
global  configuration  command. 

This  example  shows  how  to  configure  the  switch  to  synchronize  its  system  clock  with  the  clock  of  the 
peer  at  IP  address  172.16.22.44  using  NTP  Version  2: 

Switch (config) #  ntp  server  172.16.22.44  version  2 


Configuring  NTP  Broadcast  Service 

The  communications  between  devices  running  NTP  (known  as  associations)  are  usually  statically 
configured;  each  device  is  given  the  IP  addresses  of  all  devices  with  which  it  should  form  associations. 
Accurate  timekeeping  is  possible  by  exchanging  NTP  messages  between  each  pair  of  devices  with  an 
association.  However,  in  a  LAN  environment,  NTP  can  be  configured  to  use  IP  broadcast  messages 
instead.  This  alternative  reduces  configuration  complexity  because  each  device  can  simply  be 
configured  to  send  or  receive  broadcast  messages.  However,  the  information  flow  is  one-way  only. 
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The  switch  can  send  or  receive  NTP  broadcast  packets  on  an  interface-by-interface  basis  if  there  is  an 
NTP  broadcast  server,  such  as  a  router,  broadcasting  time  information  on  the  network.  The  switch  can 
send  NTP  broadcast  packets  to  a  peer  so  that  the  peer  can  synchronize  to  it.  The  switch  can  also  receive 
NTP  broadcast  packets  to  synchronize  its  own  clock.  This  section  provides  procedures  for  both  sending 
and  receiving  NTP  broadcast  packets. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  to  send  NTP  broadcast 
packets  to  peers  so  that  they  can  synchronize  their  clock  to  the  switch: 


Step  1 
Step  2 

Step  3 


Step  4 
Step  5 
Step  6 
Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  to  send  NTP  broadcast  packets,  and  enter 
interface  configuration  mode. 

ntp  broadcast  [version  number]  [key  keyid] 
[destination-address] 

Enable  the  interface  to  send  NTP  broadcast  packets  to  a  peer. 
By  default,  this  feature  is  disabled  on  all  interfaces. 

•  (Optional)  For  number,  specify  the  NTP  version  number.  The 
range  is  1  to  3.  If  you  do  not  specify  a  version,  Version  3  is  used. 

•  (Optional)  For  keyid,  specify  the  authentication  key  to  use  when 
sending  packets  to  the  peer. 

•  (Optional)  For  destination-address,  specify  the  IP  address  of  the 
peer  that  is  synchronizing  its  clock  to  this  switch. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Configure  the  connected  peers  to  receive  NTP  broadcast  packets  as 
described  in  the  next  procedure. 

To  disable  the  interface  from  sending  NTP  broadcast  packets,  use  the  no  ntp  broadcast  interface 
configuration  command. 

This  example  shows  how  to  configure  a  port  to  send  NTP  Version  2  packets: 

Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if) #  ntp  broadcast  version  2 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  to  receive  NTP 
broadcast  packets  from  connected  peers: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  interface  to  receive  NTP  broadcast  packets,  and  enter 
interface  configuration  mode. 

Step  3 

ntp  broadcast  client 

Enable  the  interface  to  receive  NTP  broadcast  packets. 
By  default,  no  interfaces  receive  NTP  broadcast  packets. 

Step  4 

exit 

Return  to  global  configuration  mode. 
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Command 

Purpose 

Step  5 

ntp  broadcastdelay  microseconds 

(Optional)  Change  the  estimated  round-trip  delay  between  the  switch  and 
the  NTP  broadcast  server. 

The  default  is  3000  microseconds;  the  range  is  1  to  999999. 

Step  6 

end 

Return  to  privileged  EXEC  mode. 

Step  7 

show  running-config 

Verify  your  entries. 

Step  8 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  an  interface  from  receiving  NTP  broadcast  packets,  use  the  no  ntp  broadcast  client  interface 
configuration  command.  To  change  the  estimated  round-trip  delay  to  the  default,  use  the  no  ntp 
broadcastdelay  global  configuration  command. 

This  example  shows  how  to  configure  a  port  to  receive  NTP  broadcast  packets: 

Switch (config) #  interface  gigabitethernetO/1 
Switch ( config-if ) #  ntp  broadcast  client 

Configuring  NTP  Access  Restrictions 

You  can  control  NTP  access  on  two  levels  as  described  in  these  sections: 

•  Creating  an  Access  Group  and  Assigning  a  Basic  IP  Access  List,  page  4-8 

•  Disabling  NTP  Services  on  a  Specific  Interface,  page  4-10 

Creating  an  Access  Group  and  Assigning  a  Basic  IP  Access  List 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  control  access  to  NTP  services  by  using 
access  lists: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ntp  access-group  {query-only  1 

Create  an  access  group,  and  apply  a  basic  IP  access  list. 

serve-only  1  serve  1  peer } 

The  keywords  have  these  meanings: 

access-list-number 

•    query-only — Allows  only  NTP  control  queries. 

•    serve-only — Allows  only  time  requests. 

•    serve — Allows  time  requests  and  NTP  control  queries,  but  does  not 

allow  the  switch  to  synchronize  to  the  remote  device. 

•    peer — Allows  time  requests  and  NTP  control  queries  and  allows  the 

switch  to  synchronize  to  the  remote  device. 

For  access-list-number,  enter  a  standard  IP  access  list  number  from  1 

to  99. 
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Command 


Purpose 


Step  3     access-list  access-list-number  permit 
source  [source-wildcard] 


Create  the  access  list. 


•    For  access-list-number,  enter  the  number  specified  in  Step  2. 


•    Enter  the  permit  keyword  to  permit  access  if  the  conditions  are 
matched. 


•    For  source,  enter  the  IP  address  of  the  device  that  is  permitted  access 
to  the  switch. 


•    (Optional)  For  source-wildcard,  enter  the  wildcard  bits  to  be  applied 
to  the  source. 

Note     When  creating  an  access  list,  remember  that,  by  default,  the  end 
of  the  access  list  contains  an  implicit  deny  statement  for 
everything  if  it  did  not  find  a  match  before  reaching  the  end. 


Step  4  end 


Return  to  privileged  EXEC  mode. 


Step  5     show  running-config 


Verify  your  entries. 


Step  6     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


The  access  group  keywords  are  scanned  in  this  order,  from  least  restrictive  to  most  restrictive: 

1.  peer — Allows  time  requests  and  NTP  control  queries  and  allows  the  switch  to  synchronize  itself  to 
a  device  whose  address  passes  the  access  list  criteria. 

2.  serve — Allows  time  requests  and  NTP  control  queries,  but  does  not  allow  the  switch  to  synchronize 
itself  to  a  device  whose  address  passes  the  access  list  criteria. 

3.  serve-only — Allows  only  time  requests  from  a  device  whose  address  passes  the  access  list  criteria. 

4.  query-only — Allows  only  NTP  control  queries  from  a  device  whose  address  passes  the  access  list 
criteria. 

If  the  source  IP  address  matches  the  access  lists  for  more  than  one  access  type,  the  first  type  is  granted. 
If  no  access  groups  are  specified,  all  access  types  are  granted  to  all  devices.  If  any  access  groups  are 
specified,  only  the  specified  access  types  are  granted. 

To  remove  access  control  to  the  switch  NTP  services,  use  the  no  ntp  access-group  {query-only  I 
serve-only  I  serve  I  peer}  global  configuration  command. 

This  example  shows  how  to  configure  the  switch  to  allow  itself  to  synchronize  to  a  peer  from  access 
list  99.  However,  the  switch  restricts  access  to  allow  only  time  requests  from  access  list  42: 

Switch#  configure  terminal 

Switch (config) #  ntp  access-group  peer  99 

Switch (config) #  ntp  access-group  serve-only  42 

Switch (config) #  access-list  99  permit  172.20.130.5 

Switch (config) #  access  list  42  permit  172.20.130.6 
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Disabling  NTP  Services  on  a  Specific  Interface 

NTP  services  are  enabled  on  all  interfaces  by  default. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  NTP  packets  from  being  received  on 
an  interface: 


Step  1 
Step  2 
Step  3 

Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Enter  interface  configuration  mode,  and  specify  the  interface  to  disable. 

ntp  disable 

Disable  NTP  packets  from  being  received  on  the  interface. 
By  default,  all  interfaces  receive  NTP  packets. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  re-enable  receipt  of  NTP  packets  on  an  interface,  use  the  no  ntp  disable  interface  configuration 
command. 


Configuring  the  Source  IP  Address  for  NTP  Packets 


When  the  switch  sends  an  NTP  packet,  the  source  IP  address  is  normally  set  to  the  address  of  the 
interface  through  which  the  NTP  packet  is  sent.  Use  the  ntp  source  global  configuration  command  when 
you  want  to  use  a  particular  source  IP  address  for  all  NTP  packets.  The  address  is  taken  from  the 
specified  interface.  This  command  is  useful  if  the  address  on  an  interface  cannot  be  used  as  the 
destination  for  reply  packets. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  specific  interface  from  which  the 
IP  source  address  is  to  be  taken: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ntp  source  type  number 

Specify  the  interface  type  and  number  from  which  the  IP  source  address 
is  taken. 

By  default,  the  source  address  is  set  by  the  outgoing  interface. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


The  specified  interface  is  used  for  the  source  address  for  all  packets  sent  to  all  destinations.  If  a  source 
address  is  to  be  used  for  a  specific  association,  use  the  source  keyword  in  the  ntp  peer  or  ntp  server 
global  configuration  command  as  described  in  the  "Configuring  NTP  Associations"  section  on  page  4-5. 
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Displaying  the  NTP  Configuration 

You  can  use  two  privileged  EXEC  commands  to  display  NTP  information: 

•  show  ntp  associations  [detail] 

•  show  ntp  status 

For  detailed  information  about  the  fields  in  these  displays,  see  the  Cisco  IOS  Configuration 
Fundamentals  Command  Reference,  Release  12.2. 

Configuring  Time  and  Date  Manually 

If  no  other  source  of  time  is  available,  you  can  manually  configure  the  time  and  date  after  the  system  is 
restarted.  The  time  remains  accurate  until  the  next  system  restart.  We  recommend  that  you  use  manual 
configuration  only  as  a  last  resort.  If  you  have  an  outside  source  to  which  the  switch  can  synchronize, 
you  do  not  need  to  manually  set  the  system  clock. 

These  sections  contain  this  configuration  information: 

•  Setting  the  System  Clock,  page  4-11 

•  Displaying  the  Time  and  Date  Configuration,  page  4-12 

•  Configuring  the  Time  Zone,  page  4-12 

•  Configuring  Summer  Time  (Daylight  Saving  Time),  page  4-13 

Setting  the  System  Clock 

If  you  have  an  outside  source  on  the  network  that  provides  time  services,  such  as  an  NTP  server,  you  do 
not  need  to  manually  set  the  system  clock. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  set  the  system  clock: 


Command 

Purpose 

clock  set  hh:mm:ss  day  month  year 
or 

clock  set  hh:mm:ss  month  day  year 

Manually  set  the  system  clock  using  one  of  these  formats. 

•  For  hh:mm:ss,  specify  the  time  in  hours  (24-hour  format),  minutes, 
and  seconds.  The  time  specified  is  relative  to  the  configured  time 
zone. 

•  For  day,  specify  the  day  by  date  in  the  month. 

•  For  month,  specify  the  month  by  name. 

•  For  year,  specify  the  year  (no  abbreviation). 

This  example  shows  how  to  manually  set  the  system  clock  to  1:32  p.m.  on  July  23,  2001: 

Switch*  clock  set  13:32:00  23  July  2001 
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Displaying  the  Time  and  Date  Configuration 

To  display  the  time  and  date  configuration,  use  the  show  clock  [detail]  privileged  EXEC  command. 

The  system  clock  keeps  an  authoritative  flag  that  shows  whether  the  time  is  authoritative  (believed  to 
be  accurate).  If  the  system  clock  has  been  set  by  a  timing  source  such  as  NTP,  the  flag  is  set.  If  the  time 
is  not  authoritative,  it  is  used  only  for  display  purposes.  Until  the  clock  is  authoritative  and  the 
authoritative  flag  is  set,  the  flag  prevents  peers  from  synchronizing  to  the  clock  when  the  peers'  time  is 
invalid. 

The  symbol  that  precedes  the  show  clock  display  has  this  meaning: 

•  * — Time  is  not  authoritative. 

•  (blank) — Time  is  authoritative. 

•  . — Time  is  authoritative,  but  NTP  is  not  synchronized. 


Configuring  the  Time  Zone 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  manually  configure  the  time  zone: 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

clock  timezone  zone  hours-offset 
[minutes-offset] 

Set  the  time  zone. 

The  switch  keeps  internal  time  in  universal  time  coordinated  (UTC),  so 
this  command  is  used  only  for  display  purposes  and  when  the  time  is 
manually  set. 

•  For  zone,  enter  the  name  of  the  time  zone  to  be  displayed  when 
standard  time  is  in  effect.  The  default  is  UTC. 

•  For  hours-offset,  enter  the  hours  offset  from  UTC. 

•  (Optional)  For  minutes-offset,  enter  the  minutes  offset  from  UTC. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

The  minutes-offset  variable  in  the  clock  timezone  global  configuration  command  is  available  for  those 
cases  where  a  local  time  zone  is  a  percentage  of  an  hour  different  from  UTC.  For  example,  the  time  zone 
for  some  sections  of  Atlantic  Canada  (AST)  is  UTC-3.5,  where  the  3  means  3  hours  and  .5  means  50 
percent.  In  this  case,  the  necessary  command  is  clock  timezone  AST  -3  30. 

To  set  the  time  to  UTC,  use  the  no  clock  timezone  global  configuration  command. 
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Configuring  Summer  Time  (Daylight  Saving  Time) 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  summer  time  (daylight  saving 
time)  in  areas  where  it  starts  and  ends  on  a  particular  day  of  the  week  each  year: 


Step  1 
Step  2 


Command 

configure  terminal 


Purpose 

Enter  global  configuration  mode. 


clock  summer-time  zone  recurring 
[week  day  month  hh:mm  week  day  month 
hh:mm  [offset]] 


Configure  summer  time  to  start  and  end  on  the  specified  days  every  year. 

Summer  time  is  disabled  by  default.  If  you  specify  clock  summer-time 
zone  recurring  without  parameters,  the  summer  time  rules  default  to  the 
United  States  rules. 

•  For  zone,  specify  the  name  of  the  time  zone  (for  example,  PDT)  to  be 
displayed  when  summer  time  is  in  effect. 

•  (Optional)  For  week,  specify  the  week  of  the  month  (1  to  5  or  last). 

•  (Optional)  For  day,  specify  the  day  of  the  week  (Sunday,  Monday...). 

•  (Optional)  For  month,  specify  the  month  (January,  February...). 

•  (Optional)  For  hh:mm,  specify  the  time  (24-hour  format)  in  hours  and 
minutes. 

•  (Optional)  For  offset,  specify  the  number  of  minutes  to  add  during 
summer  time.  The  default  is  60. 


Step  3 
Step  4 


end 

show  running-config 


Return  to  privileged  EXEC  mode. 
Verify  your  entries. 


Step  5     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


The  first  part  of  the  clock  summer-time  global  configuration  command  specifies  when  summer  time 
begins,  and  the  second  part  specifies  when  it  ends.  All  times  are  relative  to  the  local  time  zone.  The  start 
time  is  relative  to  standard  time.  The  end  time  is  relative  to  summer  time.  If  the  starting  month  is  after 
the  ending  month,  the  system  assumes  that  you  are  in  the  southern  hemisphere. 

This  example  shows  how  to  specify  that  summer  time  starts  on  the  first  Sunday  in  April  at  02:00  and 
ends  on  the  last  Sunday  in  October  at  02:00: 

Switch (config) #  clock  summer-time  PDT  recurring  1  Sunday  April  2:00  last  Sunday  October 
2:00 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  if  summer  time  in  your  area  does  not  follow  a 
recurring  pattern  (configure  the  exact  date  and  time  of  the  next  summer  time  events): 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

clock  summer-time  zone  date  [month 
date  year  hh:mm  month  date  year  hh:mm 

Configure  summer  time  to  start  on  the  first  date  and  end  on  the  second 
date. 

[offset]] 

Summer  time  is  disabled  by  default. 

or 

clock  summer-time  zone  date  [date 
month  year  hh'.mm  date  month  year 
hh:mm  [offset]] 

•  For  zone,  specify  the  name  of  the  time  zone  (for  example,  PDT)  to  be 
displayed  when  summer  time  is  in  effect. 

•  (Optional)  For  week,  specify  the  week  of  the  month  (1  to  5  or  last). 

•  (Optional)  For  day,  specify  the  day  of  the  week  (Sunday,  Monday...). 

•  (Optional)  For  month,  specify  the  month  (January,  February...). 

•  (Optional)  For  hh:mm,  specify  the  time  (24-hour  format)  in  hours  and 
minutes. 

•  (Optional)  For  offset,  specify  the  number  of  minutes  to  add  during 
summer  time.  The  default  is  60. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 

Step  4 

show  running-config 

Verify  your  entries. 

Step  5 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

The  first  part  of  the  clock  summer-time  global  configuration  command  specifies  when  summer  time 
begins,  and  the  second  part  specifies  when  it  ends.  All  times  are  relative  to  the  local  time  zone.  The  start 
time  is  relative  to  standard  time.  The  end  time  is  relative  to  summer  time.  If  the  starting  month  is  after 
the  ending  month,  the  system  assumes  that  you  are  in  the  southern  hemisphere. 

To  disable  summer  time,  use  the  no  clock  summer-time  global  configuration  command. 

This  example  shows  how  to  set  summer  time  to  start  on  October  12,  2000,  at  02:00,  and  end  on  April 
26,  2001,  at  02:00: 

Switch (config) #  clock  summer-time  pdt  date  12  October  2000  2:00  26  April  2001  2:00 

Configuring  a  System  Name  and  Prompt 

You  configure  the  system  name  on  the  switch  to  identify  it.  By  default,  the  system  name  and  prompt  are 
Switch. 

If  you  have  not  configured  a  system  prompt,  the  first  20  characters  of  the  system  name  are  used  as  the 
system  prompt.  A  greater-than  symbol  [>]  is  appended.  The  prompt  is  updated  whenever  the  system 
name  changes. 

For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  Cisco  IOS 
Configuration  Fundamentals  Command  Reference,  Release  12.2  and  the  Cisco  IOS  IP  Command 
Reference,  Volume  2  of  3:  Routing  Protocols,  Release  12.2. 
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These  sections  contain  this  configuration  information: 

•  Default  System  Name  and  Prompt  Configuration,  page  4-15 

•  Configuring  a  System  Name,  page  4-15 

•  Understanding  DNS,  page  4-15 

Default  System  Name  and  Prompt  Configuration 

The  default  switch  system  name  and  prompt  is  Switch. 

Configuring  a  System  Name 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  manually  configure  a  system  name: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

hostname  name 

Manually  configure  a  system  name. 
The  default  setting  is  switch. 

The  name  must  follow  the  rules  for  ARPANET  hostnames.  They  must  start 
with  a  letter,  end  with  a  letter  or  digit,  and  have  as  interior  characters  only 
letters,  digits,  and  hyphens.  Names  can  be  up  to  63  characters. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


When  you  set  the  system  name,  it  is  also  used  as  the  system  prompt. 

To  return  to  the  default  hostname,  use  the  no  hostname  global  configuration  command. 


Understanding  DNS 

The  DNS  protocol  controls  the  Domain  Name  System  (DNS),  a  distributed  database  with  which  you  can 
map  hostnames  to  IP  addresses.  When  you  configure  DNS  on  your  switch,  you  can  substitute  the 
hostname  for  the  IP  address  with  all  IP  commands,  such  as  ping,  telnet,  connect,  and  related  Telnet 
support  operations. 

IP  defines  a  hierarchical  naming  scheme  that  allows  a  device  to  be  identified  by  its  location  or  domain. 
Domain  names  are  pieced  together  with  periods  (.)  as  the  delimiting  characters.  For  example,  Cisco 
Systems  is  a  commercial  organization  that  IP  identifies  by  a  com  domain  name,  so  its  domain  name  is 
cisco.com.  A  specific  device  in  this  domain,  for  example,  the  File  Transfer  Protocol  (FTP)  system  is 
identified  as  ftp.cisco.com. 

To  keep  track  of  domain  names,  IP  has  defined  the  concept  of  a  domain  name  server,  which  holds  a  cache 
(or  database)  of  names  mapped  to  IP  addresses.  To  map  domain  names  to  IP  addresses,  you  must  first 
identify  the  hostnames,  specify  the  name  server  that  is  present  on  your  network,  and  enable  the  DNS. 
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These  sections  contain  this  configuration  information: 

•  Default  DNS  Configuration,  page  4-16 

•  Setting  Up  DNS,  page  4-16 

•  Displaying  the  DNS  Configuration,  page  4-17 


Default  DNS  Configuration 


Table  4-2  shows  the  default  DNS  configuration. 

Table  4-2          Default  DNS  Configuration 

Feature 

Default  Setting 

DNS  enable  state 

Enabled. 

DNS  default  domain  name 

None  configured. 

DNS  servers 

No  name  server  addresses  are  configured. 

Setting  Up  DNS 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  set  up  your  switch  to  use  the  DNS: 


Step  2 


Step  3 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  domain-name  name 

Define  a  default  domain  name  that  the  software  uses  to  complete  unqualified 
hostnames  (names  without  a  dotted-decimal  domain  name). 

Do  not  include  the  initial  period  that  separates  an  unqualified  name  from  the 
domain  name. 

At  bootup  time,  no  domain  name  is  configured;  however,  if  the  switch 
configuration  comes  from  a  BOOTP  or  Dynamic  Host  Configuration  Protocol 
(DHCP)  server,  then  the  default  domain  name  might  be  set  by  the  BOOTP  or 
DHCP  server  (if  the  servers  were  configured  with  this  information). 

ip  name-server  server-address  1 
[server-address2  ... 
server-address6] 

Specify  the  address  of  one  or  more  name  servers  to  use  for  name  and  address 
resolution. 

You  can  specify  up  to  six  name  servers.  Separate  each  server  address  with  a 
space.  The  first  server  specified  is  the  primary  server.  The  switch  sends  DNS 
queries  to  the  primary  server  first.  If  that  query  fails,  the  backup  servers  are 
queried. 

ip  domain-lookup 

(Optional)  Enable  DNS-based  hostname-to-address  translation  on  your  switch. 
This  feature  is  enabled  by  default. 

If  your  network  devices  require  connectivity  with  devices  in  networks  for  which 
you  do  not  control  name  assignment,  you  can  dynamically  assign  device  names 
that  uniquely  identify  your  devices  by  using  the  global  Internet  naming  scheme 
(DNS). 

end 

Return  to  privileged  EXEC  mode. 
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Command 

Purpose 

Step  6 

show  running-config 

Verify  your  entries. 

Step  7 

copy  running-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

startup-config 

If  you  use  the  switch  IP  address  as  its  hostname,  the  IP  address  is  used  and  no  DNS  query  occurs.  If  you 
configure  a  hostname  that  contains  no  periods  (.),  a  period  followed  by  the  default  domain  name  is 
appended  to  the  hostname  before  the  DNS  query  is  made  to  map  the  name  to  an  IP  address.  The  default 
domain  name  is  the  value  set  by  the  ip  domain-name  global  configuration  command.  If  there  is  a 
period  (.)  in  the  hostname,  the  Cisco  IOS  software  looks  up  the  IP  address  without  appending  any  default 
domain  name  to  the  hostname. 

To  remove  a  domain  name,  use  the  no  ip  domain-name  name  global  configuration  command.  To 
remove  a  name  server  address,  use  the  no  ip  name-server  server-address  global  configuration 
command.  To  disable  DNS  on  the  switch,  use  the  no  ip  domain-lookup  global  configuration  command. 

Displaying  the  DNS  Configuration 

To  display  the  DNS  configuration  information,  use  the  show  running-config  privileged  EXEC 
command. 


Creating  a  Banner 

You  can  configure  a  message-of-the-day  (MOTD)  and  a  login  banner.  The  MOTD  banner  displays  on 
all  connected  terminals  at  login  and  is  useful  for  sending  messages  that  affect  all  network  users  (such  as 
impending  system  shutdowns). 

The  login  banner  also  displays  on  all  connected  terminals.  It  appears  after  the  MOTD  banner  and  before 
the  login  prompts. 

N   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  Cisco  IOS 
Configuration  Fundamentals  Command  Reference,  Release  12.2. 

These  sections  contain  this  configuration  information: 

•  Default  Banner  Configuration,  page  4-17 

•  Configuring  a  Message-of-the-Day  Login  Banner,  page  4-18 

•  Configuring  a  Login  Banner,  page  4-19 

Default  Banner  Configuration 

The  MOTD  and  login  banners  are  not  configured. 
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Configuring  a  Message-of-the-Day  Login  Banner 


You  can  create  a  single  or  multiline  message  banner  that  appears  on  the  screen  when  someone  logs  in  to 
the  switch. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  MOTD  login  banner: 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

banner  motd  c  message  c 

Specify  the  message  of  the  day. 

For  c,  enter  the  delimiting  character  of  your  choice,  for  example,  a 
pound  sign  (#),  and  press  the  Return  key.  The  delimiting  character 
signifies  the  beginning  and  end  of  the  banner  text.  Characters  after  the 
ending  delimiter  are  discarded. 

For  message,  enter  a  banner  message  up  to  255  characters.  You  cannot 
use  the  delimiting  character  in  the  message. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  delete  the  MOTD  banner,  use  the  no  banner  motd  global  configuration  command. 

This  example  shows  how  to  configure  a  MOTD  banner  for  the  switch  by  using  the  pound  sign  (#)  symbol 
as  the  beginning  and  ending  delimiter: 

Switch (config) #  banner  motd  # 

This  is  a  secure  site.   Only  authorized  users  are  allowed. 

For  access,    contact  technical  support. 

# 

Switch (config) # 

This  example  shows  the  banner  that  appears  from  the  previous  configuration: 

Unix>  telnet  172.2.5.4 

Trying  172 .2.5.4... 
Connected  to  172.2.5.4. 
Escape  character  is    IA] 1 . 

This  is  a  secure  site.   Only  authorized  users  are  allowed. 
For  access,    contact  technical  support. 

User  Access  Verification 

Password: 
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Configuring  a  Login  Banner 

You  can  configure  a  login  banner  to  be  displayed  on  all  connected  terminals.  This  banner  appears  after 
the  MOTD  banner  and  before  the  login  prompt. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  login  banner: 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

banner  login  c  message  c 

Specify  the  login  message. 

For  c,  enter  the  delimiting  character  of  your  choice,  for  example,  a  pound 
sign  (#),  and  press  the  Return  key.  The  delimiting  character  signifies  the 
beginning  and  end  of  the  banner  text.  Characters  after  the  ending  delimiter 
are  discarded. 

For  message,  enter  a  login  message  up  to  255  characters.  You  cannot  use  the 
delimiting  character  in  the  message. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  delete  the  login  banner,  use  the  no  banner  login  global  configuration  command. 

This  example  shows  how  to  configure  a  login  banner  for  the  switch  by  using  the  dollar  sign  ($)  symbol 
as  the  beginning  and  ending  delimiter: 

Switch (config) #  banner  login  $ 

Access  for  authorized  users  only.   Please  enter  your  username  and  password. 
$ 

Switch (config) # 


Managing  the  MAC  Address  Table 


The  MAC  address  table  contains  address  information  that  the  switch  uses  to  forward  traffic  between 
ports.  All  MAC  addresses  in  the  address  table  are  associated  with  one  or  more  ports.  The  address  table 
includes  these  types  of  addresses: 

•  Dynamic  address:  a  source  MAC  address  that  the  switch  learns  and  then  ages  when  it  is  not  in  use. 

•  Static  address:  a  manually  entered  unicast  address  that  does  not  age  and  that  is  not  lost  when  the 
switch  resets. 

The  address  table  lists  the  destination  MAC  address,  the  associated  VLAN  ID,  and  port  number 
associated  with  the  address  and  the  type  (static  or  dynamic). 


Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  command 
reference  for  this  release. 
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These  sections  contain  this  configuration  information: 

•  Building  the  Address  Table,  page  4-20 

•  MAC  Addresses  and  VLANs,  page  4-20 

•  Default  MAC  Address  Table  Configuration,  page  4-21 

•  Changing  the  Address  Aging  Time,  page  4-21 

•  Removing  Dynamic  Address  Entries,  page  4-22 

•  Configuring  MAC  Address  Notification  Traps,  page  4-22 

•  Adding  and  Removing  Static  Address  Entries,  page  4-24 

•  Configuring  Unicast  MAC  Address  Filtering,  page  4-25 

•  Displaying  Address  Table  Entries,  page  4-26 

Building  the  Address  Table 

With  multiple  MAC  addresses  supported  on  all  ports,  you  can  connect  any  port  on  the  switch  to 
individual  workstations,  repeaters,  switches,  routers,  or  other  network  devices.  The  switch  provides 
dynamic  addressing  by  learning  the  source  address  of  packets  it  receives  on  each  port  and  adding  the 
address  and  its  associated  port  number  to  the  address  table.  As  stations  are  added  or  removed  from  the 
network,  the  switch  updates  the  address  table,  adding  new  dynamic  addresses  and  aging  out  those  that 
are  not  in  use. 

The  aging  interval  is  globally  configured.  However,  the  switch  maintains  an  address  table  for  each 
VLAN,  and  STP  can  accelerate  the  aging  interval  on  a  per-VLAN  basis. 

The  switch  sends  packets  between  any  combination  of  ports,  based  on  the  destination  address  of  the 
received  packet.  Using  the  MAC  address  table,  the  switch  forwards  the  packet  only  to  the  port  associated 
with  the  destination  address.  If  the  destination  address  is  on  the  port  that  sent  the  packet,  the  packet  is 
filtered  and  not  forwarded.  The  switch  always  uses  the  store-and-forward  method:  complete  packets  are 
stored  and  checked  for  errors  before  transmission. 

MAC  Addresses  and  VLANs 

All  addresses  are  associated  with  a  VLAN.  An  address  can  exist  in  more  than  one  VLAN  and  have 
different  destinations  in  each.  Unicast  addresses,  for  example,  could  be  forwarded  to  port  1  in  VLAN  1 
and  ports  9,  10,  and  1  in  VLAN  5. 

Each  VLAN  maintains  its  own  logical  address  table.  A  known  address  in  one  VLAN  is  unknown  in 
another  until  it  is  learned  or  statically  associated  with  a  port  in  the  other  VLAN. 
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Default  MAC  Address  Table  Configuration 

Table  4-3  shows  the  default  MAC  address  table  configuration. 


Table  4-3  Default  MAC  Address  Table  Configuration 


Feature 

Default  Setting 

Aging  time 

300  seconds 

Dynamic  addresses 

Automatically  learned 

Static  addresses 

None  configured 

Changing  the  Address  Aging  Time 

Dynamic  addresses  are  source  MAC  addresses  that  the  switch  learns  and  then  ages  when  they  are  not  in 
use.  You  can  change  the  aging  time  setting  for  all  VLANs  or  for  a  specified  VLAN. 

Setting  too  short  an  aging  time  can  cause  addresses  to  be  prematurely  removed  from  the  table.  Then 
when  the  switch  receives  a  packet  for  an  unknown  destination,  it  floods  the  packet  to  all  ports  in  the  same 
VLAN  as  the  receiving  port.  This  unnecessary  flooding  can  impact  performance.  Setting  too  long  an 
aging  time  can  cause  the  address  table  to  be  filled  with  unused  addresses,  which  prevents  new  addresses 
from  being  learned.  Flooding  results,  which  can  impact  switch  performance. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  dynamic  address  table  aging 
time: 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mac  address-table  aging-time  [0  I 

10-1000000]  [vlan  vlan-id] 

Set  the  length  of  time  that  a  dynamic  entry  remains  in  the  MAC 
address  table  after  the  entry  is  used  or  updated. 

The  range  is  10  to  1000000  seconds.  The  default  is  300.  You  can  also 
enter  0,  which  disables  aging.  Static  address  entries  are  never  aged 
or  removed  from  the  table. 

For  vlan-id,  valid  IDs  are  1  to  4094. 

end 

Return  to  privileged  EXEC  mode. 

show  mac  address-table  aging-time 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  value,  use  the  no  mac  address-table  aging-time  global  configuration  command. 
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Removing  Dynamic  Address  Entries 

To  remove  all  dynamic  entries,  use  the  clear  mac  address-table  dynamic  command  in  privileged  EXEC 
mode.  You  can  also  remove  a  specific  MAC  address  (clear  mac  address-table  dynamic  address 
mac-address),  remove  all  addresses  on  the  specified  physical  port  or  port  channel  (clear  mac 
address-table  dynamic  interface  interface-id),  or  remove  all  addresses  on  a  specified  VLAN  (clear 
mac  address-table  dynamic  vlan  vlan-id). 

To  verify  that  dynamic  entries  have  been  removed,  use  the  show  mac  address-table  dynamic  privileged 
EXEC  command. 


Configuring  MAC  Address  Notification  Traps 

MAC  address  notification  enables  you  to  track  users  on  a  network  by  storing  the  MAC  address  activity 
on  the  switch.  Whenever  the  switch  learns  or  removes  a  MAC  address,  an  SNMP  notification  can  be 
generated  and  sent  to  the  NMS.  If  you  have  many  users  coming  and  going  from  the  network,  you  can  set 
a  trap  interval  time  to  bundle  the  notification  traps  and  reduce  network  traffic.  The  MAC  notification 
history  table  stores  the  MAC  address  activity  for  each  hardware  port  for  which  the  trap  is  enabled.  MAC 
address  notifications  are  generated  for  dynamic  and  secure  MAC  addresses;  events  are  not  generated  for 
self  addresses,  multicast  addresses,  or  other  static  addresses. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  to  send  MAC  address 
notification  traps  to  an  NMS  host: 


Command 


Purpose 


Step  1 
Step  2 


configure  terminal 

snmp-server  host  host-addr  { traps  I  informs }  { version  { 1 

I  2c  I  3}}  community-string  notification-type 


Enter  global  configuration  mode. 
Specify  the  recipient  of  the  trap  message. 

•  For  host-addr,  specify  the  name  or  address  of  the 
NMS. 

•  Specify  traps  (the  default)  to  send  SNMP  traps 
to  the  host.  Specify  informs  to  send  SNMP 
informs  to  the  host. 

•  Specify  the  SNMP  version  to  support.  Version  1 , 
the  default,  is  not  available  with  informs. 

•  For  community-string,  specify  the  string  to  send 
with  the  notification  operation.  Though  you  can 
set  this  string  by  using  the  snmp-server  host 
command,  we  recommend  that  you  define  this 
string  by  using  the  snmp-server  community 
command  before  using  the  snmp-server  host 
command. 

•  For  notification-type,  use  the  mac-notification 

keyword. 


Step  3 
Step  4 


snmp-server  enable  traps  mac-notification 


Enable  the  switch  to  send  MAC  address  traps  to  the 
NMS. 


mac  address-table  notification 


Enable  the  MAC  address  notification  feature. 
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Command 

Purpose 

Step  5       mac  address-table  notification  [interval  value]  1 
[history-size  value] 

Enter  the  trap  interval  time  and  the  history  table  size. 

•  (Optional)  For  interval  value,  specify  the 
notification  trap  interval  in  seconds  between 
each  set  of  traps  that  are  generated  to  the  NMS. 
The  range  is  0  to  2147483647  seconds;  the 
default  is  1  second. 

•  (Optional)  For  history-size  value,  specify  the 
maximum  number  of  entries  in  the  MAC 
notification  history  table.  The  range  is  0  to  500; 
the  default  is  1 . 

Step  6       interface  interface-id 

Enter  interface  configuration  mode,  and  specify  the 
interface  on  which  to  enable  the  SNMP  MAC 
address  notification  trap. 

Step  7       snmp  trap  mac-notification  { added  1  removed } 

Enable  the  MAC  address  notification  trap. 

•  Enable  the  MAC  notification  trap  whenever  a 
MAC  address  is  added  on  this  interface. 

•  Enable  the  MAC  notification  trap  whenever  a 
MAC  address  is  removed  from  this  interface. 

Step  8  end 

Return  to  privileged  EXEC  mode. 

Step  9       show  mac  address-table  notification  interface 
show  running- config 

Verify  your  entries. 

Step  10     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration 
file. 

To  disable  the  switch  from  sending  MAC  address  notification  traps,  use  the  no  snmp-server  enable 
traps  mac-notification  global  configuration  command.  To  disable  the  MAC  address  notification  traps 
on  a  specific  interface,  use  the  no  snmp  trap  mac-notification  {added  I  removed}  interface 
configuration  command.  To  disable  the  MAC  address  notification  feature,  use  the  no  mac  address-table 
notification  global  configuration  command. 

This  example  shows  how  to  specify  172.20.10.10  as  the  NMS,  enable  the  switch  to  send  MAC  address 
notification  traps  to  the  NMS,  enable  the  MAC  address  notification  feature,  set  the  interval  time  to 
60  seconds,  set  the  history-size  to  100  entries,  and  enable  traps  whenever  a  MAC  address  is  added  on 
the  specified  port. 

Switch (config) #  snmp-server  host  172.20.10.10  traps  private 

Switch (config) #  snmp-server  enable  traps  mac-notification 

Switch (config) #  mac  address-table  notification 

Switch (config) #  mac  address-table  notification  interval  60 

Switch ( config) #  mac  address-table  notification  history-size  100 

Switch (config) #  interface  gigabitethernetO/2 

Switch (config-if) #  snmp  trap  mac-notification  added 

You  can  verify  the  previous  commands  by  entering  the  show  mac  address-table  notification  interface 
and  the  show  mac  address-table  notification  privileged  EXEC  commands. 
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Adding  and  Removing  Static  Address  Entries 

A  static  address  has  these  characteristics: 

•  It  is  manually  entered  in  the  address  table  and  must  be  manually  removed. 

•  It  can  be  a  unicast  or  multicast  address. 

•  It  does  not  age  and  is  retained  when  the  switch  restarts. 

You  can  add  and  remove  static  addresses  and  define  the  forwarding  behavior  for  them.  The  forwarding 
behavior  defines  how  a  port  that  receives  a  packet  forwards  it  to  another  port  for  transmission.  Because 
all  ports  are  associated  with  at  least  one  VLAN,  the  switch  acquires  the  VLAN  ID  for  the  address  from 
the  ports  that  you  specify.  You  can  specify  a  different  list  of  destination  ports  for  each  source  port. 

A  packet  with  a  static  address  that  arrives  on  a  VLAN  where  it  has  not  been  statically  entered  is  flooded 
to  all  ports  and  not  learned. 

You  add  a  static  address  to  the  address  table  by  specifying  the  destination  MAC  unicast  address  and  the 
VLAN  from  which  it  is  received.  Packets  received  with  this  destination  address  are  forwarded  to  the 
interface  specified  with  the  interface-id  option. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  add  a  static  address: 


Step  1 
Step  2 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mac  address-table  static  mac-addr 

vlan  vlan-id  interface  interface-id 

Add  a  static  address  to  the  MAC  address  table. 

•  For  mac-addr,  specify  the  destination  MAC  unicast  address  to  add  to 
the  address  table.  Packets  with  this  destination  address  received  in  the 
specified  VLAN  are  forwarded  to  the  specified  interface. 

•  For  vlan-id,  specify  the  VLAN  for  which  the  packet  with  the 
specified  MAC  address  is  received.  Valid  VLAN  IDs  are  1  to  4094. 

•  For  interface-id,  specify  the  interface  to  which  the  received  packet  is 
forwarded.  Valid  interfaces  include  physical  ports  or  port  channels. 
For  static  multicast  addresses,  you  can  enter  multiple  interface  IDs. 
For  static  unicast  addresses,  you  can  enter  only  one  interface  at  a 
time,  but  you  can  enter  the  command  multiple  times  with  the  same 
MAC  address  and  VLAN  ID. 

end 

Return  to  privileged  EXEC  mode. 

show  mac  address-table  static 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  3 
Step  4 
Step  5 


To  remove  static  entries  from  the  address  table,  use  the  no  mac  address-table  static  mac-addr  vlan 
vlan-id  [interface  interface-id]  global  configuration  command. 

This  example  shows  how  to  add  the  static  address  c2f3.220a.12f4  to  the  MAC  address  table.  When  a 
packet  is  received  in  VLAN  4  with  this  MAC  address  as  its  destination  address,  the  packet  is  forwarded 
to  the  specified  port: 

Switch (config) #  mac  address-table  static  c2f 3 . 220a. 12f 4  vlan  4  interface 
gigabi tethernet  0 / 1 
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Configuring  Unicast  MAC  Address  Filtering 

When  unicast  MAC  address  filtering  is  enabled,  the  switch  drops  packets  with  specific  source  or 
destination  MAC  addresses.  This  feature  is  disabled  by  default  and  only  supports  unicast  static 
addresses. 

Follow  these  guidelines  when  using  this  feature: 

•  Multicast  MAC  addresses,  broadcast  MAC  addresses,  and  router  MAC  addresses  are  not  supported. 
If  you  specify  one  of  these  addresses  when  entering  the  mac  address-table  static  mac-addr  vlan 
vlan-id  drop  global  configuration  command,  one  of  these  messages  appears: 

%  Only  unicast  addresses  can  be  configured  to  be  dropped 
%  CPU  destined  address  cannot  be  configured  as  drop  address 

•  Packets  that  are  forwarded  to  the  CPU  are  also  not  supported. 

•  If  you  add  a  unicast  MAC  address  as  a  static  address  and  configure  unicast  MAC  address  filtering, 
the  switch  either  adds  the  MAC  address  as  a  static  address  or  drops  packets  with  that  MAC  address, 
depending  on  which  command  was  entered  last.  The  second  command  that  you  entered  overrides 
the  first  command. 

For  example,  if  you  enter  the  mac  address-table  static  mac-addr  vlan  vlan-id  interface 
interface-id  global  configuration  command  followed  by  the  mac  address-table  static  mac-addr 
vlan  vlan-id  drop  command,  the  switch  drops  packets  with  the  specified  MAC  address  as  a  source 
or  destination. 

If  you  enter  the  mac  address-table  static  mac-addr  vlan  vlan-id  drop  global  configuration 
command  followed  by  the  mac  address-table  static  mac-addr  vlan  vlan-id  interface  interface-id 
command,  the  switch  adds  the  MAC  address  as  a  static  address. 

You  enable  unicast  MAC  address  filtering  and  configure  the  switch  to  drop  packets  with  a  specific 
address  by  specifying  the  source  or  destination  unicast  MAC  address  and  the  VLAN  from  which  it  is 
received. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  to  drop  a  source  or 
destination  unicast  static  address: 


Step  1 
Step  2 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mac  address-table  static  mac-addr 
vlan  vlan-id  drop 

Enable  unicast  MAC  address  filtering  and  configure  the  switch  to  drop  a 
packet  with  the  specified  source  or  destination  unicast  static  address. 

•  For  mac-addr,  specify  a  source  or  destination  unicast  MAC  address. 
Packets  with  this  MAC  address  are  dropped. 

•  For  vlan-id,  specify  the  VLAN  for  which  the  packet  with  the 
specified  MAC  address  is  received.  Valid  VLAN  IDs  are  1  to  4094. 

end 

Return  to  privileged  EXEC  mode. 

show  mac  address-table  static 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  3 
Step  4 
Step  5 


To  disable  unicast  MAC  address  filtering,  use  the  no  mac  address-table  static  mac-addr  vlan  vlan-id 
global  configuration  command. 
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This  example  shows  how  to  enable  unicast  MAC  address  filtering  and  to  configure  the  switch  to  drop 
packets  that  have  a  source  or  destination  address  of  c2f3.220a.12f4.  When  a  packet  is  received  in 
VLAN  4  with  this  MAC  address  as  its  source  or  destination,  the  packet  is  dropped: 

Switch (config) #  mac  address-table  static  c2f 3 . 220a . 12f 4  vlan  4  drop 


Displaying  Address  Table  Entries 


You  can  display  the  MAC  address  table  by  using  one  or  more  of  the  privileged  EXEC  commands 
described  in  Table  4-4: 

Table  4-4  Commands  for  Displaying  the  MAC  Address  Table 


Command 

Description 

show  ip  igmp  snooping  groups 

Displays  the  Layer  2  multicast  entries  for  all  VLANs  or  the  specified  VLAN. 

show  mac  address-table  address 

Displays  MAC  address  table  information  for  the  specified  MAC  address. 

show  mac  address-table  aging-time 

Displays  the  aging  time  in  all  VLANs  or  the  specified  VLAN. 

show  mac  address-table  count 

Displays  the  number  of  addresses  present  in  all  VLANs  or  the  specified  VLAN. 

show  mac  address-table  dynamic 

Displays  only  dynamic  MAC  address  table  entries. 

show  mac  address-table  interface 

Displays  the  MAC  address  table  information  for  the  specified  interface. 

show  mac  address-table  notification 

Displays  the  MAC  notification  parameters  and  history  table. 

show  mac  address-table  static 

Displays  only  static  MAC  address  table  entries. 

show  mac  address-table  vlan 

Displays  the  MAC  address  table  information  for  the  specified  VLAN. 

Managing  the  ARP  Table 

To  communicate  with  a  device  (over  Ethernet,  for  example),  the  software  first  must  learn  the  48-bit 
MAC  address  or  the  local  data  link  address  of  that  device.  The  process  of  learning  the  local  data  link 
address  from  an  IP  address  is  called  address  resolution. 

The  Address  Resolution  Protocol  (ARP)  associates  a  host  IP  address  with  the  corresponding  media  or 
MAC  addresses  and  the  VLAN  ID.  Using  an  IP  address,  ARP  finds  the  associated  MAC  address.  When 
a  MAC  address  is  found,  the  IP-MAC  address  association  is  stored  in  an  ARP  cache  for  rapid  retrieval. 
Then  the  IP  datagram  is  encapsulated  in  a  link-layer  frame  and  sent  over  the  network.  Encapsulation  of 
IP  datagrams  and  ARP  requests  and  replies  on  IEEE  802  networks  other  than  Ethernet  is  specified  by 
the  Subnetwork  Access  Protocol  (SNAP).  By  default,  standard  Ethernet-style  ARP  encapsulation 
(represented  by  the  arpa  keyword)  is  enabled  on  the  IP  interface. 

ARP  entries  added  manually  to  the  table  do  not  age  and  must  be  manually  removed. 

For  CLI  procedures,  see  the  Cisco  IOS  Release  12.2  documentation  on  Cisco.com. 
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Configuring  Switch-Based  Authentication 


This  chapter  describes  how  to  configure  switch-based  authentication  on  the  switch. 
It  consists  of  these  sections: 

•  Preventing  Unauthorized  Access  to  Your  Switch,  page  5-1 

•  Protecting  Access  to  Privileged  EXEC  Commands,  page  5-2 

•  Controlling  Switch  Access  with  TACACS+,  page  5-10 

•  Controlling  Switch  Access  with  RADIUS,  page  5-17 

•  Controlling  Switch  Access  with  Kerberos,  page  5-32 

•  Configuring  the  Switch  for  Local  Authentication  and  Authorization,  page  5-36 

•  Configuring  the  Switch  for  Secure  Shell,  page  5-37 

•  Configuring  the  Switch  for  Secure  Socket  Layer  HTTP,  page  5-42 

•  Configuring  the  Switch  for  Secure  Copy  Protocol,  page  5-48 

Preventing  Unauthorized  Access  to  Your  Switch 

You  can  prevent  unauthorized  users  from  reconfiguring  your  switch  and  viewing  configuration 
information.  Typically,  you  want  network  administrators  to  have  access  to  your  switch  while  you  restrict 
access  to  users  who  dial  from  outside  the  network  through  an  asynchronous  port,  connect  from  outside 
the  network  through  a  serial  port,  or  connect  through  a  terminal  or  workstation  from  within  the  local 
network. 

To  prevent  unauthorized  access  into  your  switch,  you  should  configure  one  or  more  of  these  security 
features: 

•  At  a  minimum,  you  should  configure  passwords  and  privileges  at  each  switch  port.  These  passwords 
are  locally  stored  on  the  switch.  When  users  attempt  to  access  the  switch  through  a  port  or  line,  they 
must  enter  the  password  specified  for  the  port  or  line  before  they  can  access  the  switch.  For  more 
information,  see  the  "Protecting  Access  to  Privileged  EXEC  Commands"  section  on  page  5-2. 

•  For  an  additional  layer  of  security,  you  can  also  configure  username  and  password  pairs,  which  are 
locally  stored  on  the  switch.  These  pairs  are  assigned  to  lines  or  ports  and  authenticate  each  user 
before  that  user  can  access  the  switch.  If  you  have  defined  privilege  levels,  you  can  also  assign  a 
specific  privilege  level  (with  associated  rights  and  privileges)  to  each  username  and  password  pair. 
For  more  information,  see  the  "Configuring  Username  and  Password  Pairs"  section  on  page  5-6. 
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•    If  you  want  to  use  username  and  password  pairs,  but  you  want  to  store  them  centrally  on  a  server 
instead  of  locally,  you  can  store  them  in  a  database  on  a  security  server.  Multiple  networking  devices 
can  then  use  the  same  database  to  obtain  user  authentication  (and,  if  necessary,  authorization) 
information.  For  more  information,  see  the  "Controlling  Switch  Access  with  TACACS+"  section  on 
page  5-10. 


Protecting  Access  to  Privileged  EXEC  Commands 


Note 


A  simple  way  of  providing  terminal  access  control  in  your  network  is  to  use  passwords  and  assign 
privilege  levels.  Password  protection  restricts  access  to  a  network  or  network  device.  Privilege  levels 
define  what  commands  users  can  enter  after  they  have  logged  into  a  network  device. 


For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  Cisco  IOS 
Security  Command  Reference,  Release  12.2. 

These  sections  contain  this  configuration  information: 

•  Default  Password  and  Privilege  Level  Configuration,  page  5-2 

•  Setting  or  Changing  a  Static  Enable  Password,  page  5-3 

•  Protecting  Enable  and  Enable  Secret  Passwords  with  Encryption,  page  5-3 

•  Disabling  Password  Recovery,  page  5-5 

•  Setting  a  Telnet  Password  for  a  Terminal  Line,  page  5-6 

•  Configuring  Username  and  Password  Pairs,  page  5-6 

•  Configuring  Multiple  Privilege  Levels,  page  5-7 


Default  Password  and  Privilege  Level  Configuration 

Table  5-1  shows  the  default  password  and  privilege  level  configuration. 
Table  5-1  Default  Password  and  Privilege  Levels 


Feature 

Default  Setting 

Enable  password  and  privilege  level 

No  password  is  defined.  The  default  is  level  15  (privileged  EXEC  level). 
The  password  is  not  encrypted  in  the  configuration  file. 

Enable  secret  password  and  privilege  level 

No  password  is  defined.  The  default  is  level  15  (privileged  EXEC  level). 
The  password  is  encrypted  before  it  is  written  to  the  configuration  file. 

Line  password 

No  password  is  defined. 
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Setting  or  Changing  a  Static  Enable  Password 

The  enable  password  controls  access  to  the  privileged  EXEC  mode.  Beginning  in  privileged  EXEC 
mode,  follow  these  steps  to  set  or  change  a  static  enable  password: 


Step  1 
Step  2 


Command 

configure  terminal 


Purpose 

Enter  global  configuration  mode. 


enable  password  password 


Define  a  new  password  or  change  an  existing  password  for  access  to 
privileged  EXEC  mode. 

By  default,  no  password  is  defined. 

For  password,  specify  a  string  from  1  to  25  alphanumeric  characters.  The 
string  cannot  start  with  a  number,  is  case  sensitive,  and  allows  spaces  but 
ignores  leading  spaces.  It  can  contain  the  question  mark  (?)  character  if 
you  precede  the  question  mark  with  the  key  combination  Crtl-v  when  you 
create  the  password;  for  example,  to  create  the  password  abc?123,  do  this: 

Enter  abc. 

Enter  Crtl-v. 

Enter  ?123. 

When  the  system  prompts  you  to  enter  the  enable  password,  you  need  not 
precede  the  question  mark  with  the  Ctrl-v;  you  can  simply  enter  abc?  123 
at  the  password  prompt. 


Step  3 
Step  4 


end 


Return  to  privileged  EXEC  mode. 


show  running-config 


Verify  your  entries. 


Step  5     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 

The  enable  password  is  not  encrypted  and  can  be  read  in  the  switch 
configuration  file. 


To  remove  the  password,  use  the  no  enable  password  global  configuration  command. 

This  example  shows  how  to  change  the  enable  password  to  Ilu2c3k4y5.  The  password  is  not  encrypted 
and  provides  access  to  level  15  (traditional  privileged  EXEC  mode  access): 


Switch (config) #  enable  password  Ilu2c3k4y5 


Protecting  Enable  and  Enable  Secret  Passwords  with  Encryption 

To  provide  an  additional  layer  of  security,  particularly  for  passwords  that  cross  the  network  or  that  are 
stored  on  a  Trivial  File  Transfer  Protocol  (TFTP)  server,  you  can  use  either  the  enable  password  or 
enable  secret  global  configuration  commands.  Both  commands  accomplish  the  same  thing;  that  is,  you 
can  establish  an  encrypted  password  that  users  must  enter  to  access  privileged  EXEC  mode  (the  default) 
or  any  privilege  level  you  specify. 

We  recommend  that  you  use  the  enable  secret  command  because  it  uses  an  improved  encryption 
algorithm. 

If  you  configure  the  enable  secret  command,  it  takes  precedence  over  the  enable  password  command; 
the  two  commands  cannot  be  in  effect  simultaneously. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  encryption  for  enable  and  enable 
secret  passwords: 


Command 

Step  1       configure  terminal 

Step  2       enable  password  [level  level]  {password] 
encryption-type  encrypted-password} 

or 

enable  secret  [level  level]  {password  I 
encryption-type  encrypted-password] 


Step  3       service  password-encryption 


Step  4  end 

Step  5       copy  running-config  startup-config 


Purpose 

Enter  global  configuration  mode. 

Define  a  new  password  or  change  an  existing  password  for 
access  to  privileged  EXEC  mode. 

or 

Define  a  secret  password,  which  is  saved  using  a 
nonreversible  encryption  method. 

•  (Optional)  For  level,  the  range  is  from  0  to  15.  Level  1 
is  normal  user  EXEC  mode  privileges.  The  default  level 
is  15  (privileged  EXEC  mode  privileges). 

•  For  password,  specify  a  string  from  1  to  25 
alphanumeric  characters.  The  string  cannot  start  with  a 
number,  is  case  sensitive,  and  allows  spaces  but  ignores 
leading  spaces.  By  default,  no  password  is  defined. 

•  (Optional)  For  encryption-type,  only  type  5,  a  Cisco 
proprietary  encryption  algorithm,  is  available.  If  you 
specify  an  encryption  type,  you  must  provide  an 
encrypted  password — an  encrypted  password  that  you 
copy  from  another  switch  configuration. 

Note     If  you  specify  an  encryption  type  and  then  enter  a 
clear  text  password,  you  can  not  re-enter  privileged 
EXEC  mode.  You  cannot  recover  a  lost  encrypted 
password  by  any  method. 

(Optional)  Encrypt  the  password  when  the  password  is 
defined  or  when  the  configuration  is  written. 

Encryption  prevents  the  password  from  being  readable  in  the 
configuration  file. 

Return  to  privileged  EXEC  mode. 

(Optional)  Save  your  entries  in  the  configuration  file. 


If  both  the  enable  and  enable  secret  passwords  are  defined,  users  must  enter  the  enable  secret  password. 

Use  the  level  keyword  to  define  a  password  for  a  specific  privilege  level.  After  you  specify  the  level  and 
set  a  password,  give  the  password  only  to  users  who  need  to  have  access  at  this  level.  Use  the  privilege 
level  global  configuration  command  to  specify  commands  accessible  at  various  levels.  For  more 
information,  see  the  "Configuring  Multiple  Privilege  Levels"  section  on  page  5-7. 

If  you  enable  password  encryption,  it  applies  to  all  passwords  including  username  passwords, 
authentication  key  passwords,  the  privileged  command  password,  and  console  and  virtual  terminal  line 
passwords. 

To  remove  a  password  and  level,  use  the  no  enable  password  [level  level]  or  no  enable  secret  [level 
level]  global  configuration  command.  To  disable  password  encryption,  use  the  no  service 
password-encryption  global  configuration  command. 
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This  example  shows  how  to  configure  the  encrypted  password  $!$FaD0$Xyti5Rkls3LoyxzS8  for 
privilege  level  2: 

Switch (config) #  enable  secret  level  2  5  $l$FaD0$Xyti5Rkls3LoyxzS8 

Disabling  Password  Recovery 

By  default,  any  end  user  with  physical  access  to  the  switch  can  recover  from  a  lost  password  by 
interrupting  the  bootup  process  while  the  switch  is  powering  on  and  then  by  entering  a  new  password. 

The  password-recovery  disable  feature  protects  access  to  the  switch  password  by  disabling  part  of  this 
functionality.  When  this  feature  is  enabled,  the  end  user  can  interrupt  the  bootup  process  only  by 
agreeing  to  set  the  system  back  to  the  default  configuration.  With  password  recovery  disabled,  you  can 
still  interrupt  the  bootup  process  and  change  the  password,  but  the  configuration  file  (config. text)  and 
the  VLAN  database  file  (vlan.dat)  are  deleted. 

X   

Note  If  you  disable  password  recovery,  we  recommend  that  you  keep  a  backup  copy  of  the  configuration  file 
on  a  secure  server  in  case  the  end  user  interrupts  the  bootup  process  and  sets  the  system  back  to  default 
values.  Do  not  keep  a  backup  copy  of  the  configuration  file  on  the  switch.  If  the  switch  is  operating  in 
VTP  transparent  mode,  we  recommend  that  you  also  keep  a  backup  copy  of  the  VLAN  database  file  on 
a  secure  server.  When  the  switch  is  returned  to  the  default  system  configuration,  you  can  download  the 
saved  files  to  the  switch  by  using  the  Xmodem  protocol.  For  more  information,  see  the  "Recovering  from 
a  Lost  or  Forgotten  Password"  section  on  page  29-3. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  password  recovery: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

no  service  password-recovery 

Disable  password  recovery. 

This  setting  is  saved  in  an  area  of  the  flash  memory  that  is  accessible  by 
the  bootloader  and  the  Cisco  IOS  image,  but  it  is  not  part  of  the  file  system 
and  is  not  accessible  by  any  user. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 

Step  4 

show  version 

Verify  the  configuration  by  checking  the  last  few  lines  of  the  command 
output. 

To  re-enable  password  recovery,  use  the  service  password-recovery  global  configuration  command. 

X   

Note  Disabling  password  recovery  will  not  work  if  you  have  set  the  switch  to  boot  up  manually  by  using  the 
boot  manual  global  configuration  command.  This  command  produces  the  bootloader  prompt  (switch:) 
after  the  switch  is  power  cycled. 
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Setting  a  Telnet  Password  for  a  Terminal  Line 

When  you  power-up  your  switch  for  the  first  time,  an  automatic  setup  program  runs  to  assign  IP 
information  and  to  create  a  default  configuration  for  continued  use.  The  setup  program  also  prompts  you 
to  configure  your  switch  for  Telnet  access  through  a  password.  If  you  did  not  configure  this  password 
during  the  setup  program,  you  can  configure  it  now  through  the  command-line  interface  (CLI). 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  your  switch  for  Telnet  access: 


Command 

Purpose 

Stepl 

Attach  a  PC  or  workstation  with  emulation  software  to  the  switch  console 
port. 

The  default  data  characteristics  of  the  console  port  are  9600,  8,  1,  no 
parity.  You  might  need  to  press  the  Return  key  several  times  to  see  the 
command-line  prompt. 

Step  2     enable  password  password 

Enter  privileged  EXEC  mode. 

Enter  global  configuration  mode. 

Step  4     line  vty  0  15 

Configure  the  number  of  Telnet  sessions  (lines),  and  enter  line 
configuration  mode. 

There  are  16  possible  sessions  on  a  command-capable  switch.  The  0 
and  15  mean  that  you  are  configuring  all  16  possible  Telnet  sessions. 

Step  5     password  password 

Enter  a  Telnet  password  for  the  line  or  lines. 

For  password,  specify  a  string  from  1  to  25  alphanumeric  characters.  The 
string  cannot  start  with  a  number,  is  case  sensitive,  and  allows  spaces  but 
ignores  leading  spaces.  By  default,  no  password  is  defined. 

Step  6  end 

Return  to  privileged  EXEC  mode. 

Step  7     show  running-config 

Verify  your  entries. 

The  password  is  listed  under  the  command  line  vty  0  15. 

Step  8     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  the  password,  use  the  no  password  global  configuration  command. 
This  example  shows  how  to  set  the  Telnet  password  to  Iet45me67in89: 

Switch (config) #  line  vty  10 

Switch (conf ig-line) #  password  Iet45me67in89 


Configuring  Username  and  Password  Pairs 

You  can  configure  username  and  password  pairs,  which  are  locally  stored  on  the  switch.  These  pairs  are 
assigned  to  lines  or  ports  and  authenticate  each  user  before  that  user  can  access  the  switch.  If  you  have 
defined  privilege  levels,  you  can  also  assign  a  specific  privilege  level  (with  associated  rights  and 
privileges)  to  each  username  and  password  pair. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  establish  a  username-based  authentication 
system  that  requests  a  login  username  and  a  password: 


Step  1 
Step  2 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

username  name  [privilege  level] 
{password  encryption-type  password] 

Enter  the  username,  privilege  level,  and  password  for  each  user. 

•  For  name,  specify  the  user  ID  as  one  word.  Spaces  and  quotation 
marks  are  not  allowed. 

•  (Optional)  For  level,  specify  the  privilege  level  the  user  has  after 
gaining  access.  The  range  is  0  to  15.  Level  15  gives  privileged  EXEC 
mode  access.  Level  1  gives  user  EXEC  mode  access. 

•  For  encryption-type,  enter  0  to  specify  that  an  unencrypted  password 
will  follow.  Enter  7  to  specify  that  a  hidden  password  will  follow. 

•  For  password,  specify  the  password  the  user  must  enter  to  gain  access 
to  the  switch.  The  password  must  be  from  1  to  25  characters,  can 
contain  embedded  spaces,  and  must  be  the  last  option  specified  in  the 

USClIlulllC  LUIIlIIlallU. 

line  I-Uiiauic  \j 

or 

line  vty  0  15 

Pntpr  linp  iT\TTFi(Tiirti1"ir\n  m  r\rl  p    nnrl  pnnfi  (rut**3  trip  con  e  nl  p  x\c\v\  ( 1 1  n  p  fl  i  r\r 

.CiilLCl  1U1C  HJllllldLll  O.L1U11  llltJUC,  allU  CVJllllg  HI  C  LUC  HJ11SVJ1C  UU1  L  ^llllC  \J  J  \)l 

the  VTY  lines  (line  0  to  15). 

login  local 

Enable  local  password  checking  at  login  time.  Authentication  is  based  on 
the  username  specified  in  Step  2. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  3 


Step  4 

Step  5 
Step  6 
Step  7 


To  disable  username  authentication  for  a  specific  user,  use  the  no  username  name  global  configuration 
command.  To  disable  password  checking  and  allow  connections  without  a  password,  use  the  no  login 
line  configuration  command. 


Configuring  Multiple  Privilege  Levels 

By  default,  the  Cisco  IOS  software  has  two  modes  of  password  security:  user  EXEC  and  privileged 
EXEC.  You  can  configure  up  to  16  hierarchical  levels  of  commands  for  each  mode.  By  configuring 
multiple  passwords,  you  can  allow  different  sets  of  users  to  have  access  to  specified  commands. 

For  example,  if  you  want  many  users  to  have  access  to  the  clear  line  command,  you  can  assign  it 
level  2  security  and  distribute  the  level  2  password  fairly  widely.  But  if  you  want  more  restricted  access 
to  the  configure  command,  you  can  assign  it  level  3  security  and  distribute  that  password  to  a  more 
restricted  group  of  users. 

These  sections  contain  this  configuration  information: 

•  Setting  the  Privilege  Level  for  a  Command,  page  5-8 

•  Changing  the  Default  Privilege  Level  for  Lines,  page  5-9 

•  Logging  into  and  Exiting  a  Privilege  Level,  page  5-9 
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Setting  the  Privilege  Level  for  a  Command 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  set  the  privilege  level  for  a  command  mode: 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

Step  2     privilege  mode  level  level  command 

Set  the  privilege  level  for  a  command. 

•  For  mode,  enter  configure  for  global  configuration  mode,  exec  for 
EXEC  mode,  interface  for  interface  configuration  mode,  or  line  for 
line  configuration  mode. 

•  For  level,  the  range  is  from  0  to  15.  Level  1  is  for  normal  user  EXEC 
mode  privileges.  Level  15  is  the  level  of  access  permitted  by  the 
enable  password. 

•  For  command,  specify  the  command  to  which  you  want  to  restrict 
access. 

Step  3     enable  password  level  level  password 

Specify  the  enable  password  for  the  privilege  level. 

•  For  level,  the  range  is  from  0  to  15.  Level  1  is  for  normal  user  EXEC 
mode  privileges. 

•  For  password,  specify  a  string  from  1  to  25  alphanumeric  characters. 
The  string  cannot  start  with  a  number,  is  case  sensitive,  and  allows 
spaces  but  ignores  leading  spaces.  By  default,  no  password  is 
defined. 

Step  4  end 

Return  to  privileged  EXEC  mode. 

Step  5     show  running-config 

or 

show  privilege 

Verify  your  entries. 

The  first  command  shows  the  password  and  access  level  configuration. 
The  second  command  shows  the  privilege  level  configuration. 

Step  6     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

When  you  set  a  command  to  a  privilege  level,  all  commands  whose  syntax  is  a  subset  of  that  command 
are  also  set  to  that  level.  For  example,  if  you  set  the  show  ip  traffic  command  to  level  15,  the  show 
commands  and  show  ip  commands  are  automatically  set  to  privilege  level  15  unless  you  set  them 
individually  to  different  levels. 

To  return  to  the  default  privilege  for  a  given  command,  use  the  no  privilege  mode  level  level  command 
global  configuration  command. 

This  example  shows  how  to  set  the  configure  command  to  privilege  level  14  and  define  SecretPswdl4 
as  the  password  users  must  enter  to  use  level  14  commands: 

Switch (config) #  privilege  exec  level  14  configure 
Switch (config) #  enable  password  level  14  SecretPswdl4 
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Changing  the  Default  Privilege  Level  for  Lines 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  change  the  default  privilege  level  for  a  line: 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

xtpn  f              linn   ^T^tT    1  1 1 J  S3 

oic|j  i.      line  \iy  Uric 

ocieci  uie  virtual  terminal  line  on  wmcii  10  restrict  access. 

OLCp  O           JJllVllCgC  1CVC1  Lt-Vt-i 

Phanop  tnp  HpTnulf"  t\i*i \fi  1  p  (y p  lp\fpl  fcty  trip  linp 
V^-llallgC  tllC  UClaUll  JJllvllCgC  1CVC1  1U1   L11C  1111C. 

For  level,  the  range  is  from  0  to  15.  Level  1  is  for  normal  user  EXEC  mode 
privileges.  Level  15  is  the  level  of  access  permitted  by  the  enable 
password. 

Step  4  end 

Return  to  privileged  EXEC  mode. 

Step  5     show  running-config 

or 

show  privilege 

Verify  your  entries. 

The  first  command  shows  the  password  and  access  level  configuration. 
The  second  command  shows  the  privilege  level  configuration. 

Step  6     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Users  can  override  the  privilege  level  you  set  using  the  privilege  level  line  configuration  command  by 
logging  in  to  the  line  and  enabling  a  different  privilege  level.  They  can  lower  the  privilege  level  by  using 
the  disable  command.  If  users  know  the  password  to  a  higher  privilege  level,  they  can  use  that  password 
to  enable  the  higher  privilege  level.  You  might  specify  a  high  level  or  privilege  level  for  your  console 
line  to  restrict  line  usage. 

To  return  to  the  default  line  privilege  level,  use  the  no  privilege  level  line  configuration  command. 


Logging  into  and  Exiting  a  Privilege  Level 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  log  in  to  a  specified  privilege  level  and  to  exit 


to  a  specified  privilege  level: 

Command 

Purpose 

enable  level 

Log  in  to  a  specified  privilege  level. 

For  level,  the  range  is  0  to  15. 

disable  level 

Exit  to  a  specified  privilege  level. 

For  level,  the  range  is  0  to  15. 
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Controlling  Switch  Access  with  TACACS+ 

This  section  describes  how  to  enable  and  configure  Terminal  Access  Controller  Access  Control  System 
Plus  (TACACS+),  which  provides  detailed  accounting  information  and  flexible  administrative  control 
over  authentication  and  authorization  processes.  TACACS+  is  facilitated  through  authentication, 
authorization,  accounting  (AAA)  and  can  be  enabled  only  through  AAA  commands. 

X   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  Cisco  IOS 
Security  Command  Reference,  Release  12.2. 

These  sections  contain  this  configuration  information: 

•  Understanding  TACACS+,  page  5-10 

•  TACACS+ Operation,  page  5-12 

•  Configuring  TACACS+,  page  5-12 

•  Displaying  the  TACACS+  Configuration,  page  5-17 

Understanding  TACACS+ 

TACACS+  is  a  security  application  that  provides  centralized  validation  of  users  attempting  to  gain 
access  to  your  switch.  TACACS+  services  are  maintained  in  a  database  on  a  TACACS+  daemon 
typically  running  on  a  UNIX  or  Windows  NT  workstation.  You  should  have  access  to  and  should 
configure  a  TACACS+  server  before  the  configuring  TACACS+  features  on  your  switch. 

TACACS+  provides  for  separate  and  modular  authentication,  authorization,  and  accounting  facilities. 
TACACS+  allows  for  a  single  access  control  server  (the  TACACS+  daemon)  to  provide  each 
service — authentication,  authorization,  and  accounting — independently.  Each  service  can  be  tied  into  its 
own  database  to  take  advantage  of  other  services  available  on  that  server  or  on  the  network,  depending 
on  the  capabilities  of  the  daemon. 

The  goal  of  TACACS+  is  to  provide  a  method  for  managing  multiple  network  access  points  from  a  single 
management  service.  Your  switch  can  be  a  network  access  server  along  with  other  Cisco  routers  and 
access  servers.  A  network  access  server  provides  connections  to  a  single  user,  to  a  network  or 
subnetwork,  and  to  interconnected  networks  as  shown  in  Figure  5-1. 
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Figure  5-1  Typical  TACACS+  Network  Configuration 

UNIX  workstation 


(TACACS+  Catalyst  6500 

server  1 )  series  switch 


Blade  servers  method  list  as  required.  Blade  servers 


TACACS+,  administered  through  the  AAA  security  services,  can  provide  these  services: 

•  Authentication — Provides  complete  control  of  authentication  through  login  and  password  dialog, 
challenge  and  response,  and  messaging  support. 

The  authentication  facility  can  conduct  a  dialog  with  the  user  (for  example,  after  a  username  and 
password  are  provided,  to  challenge  a  user  with  several  questions,  such  as  home  address,  mother's 
maiden  name,  service  type,  and  social  security  number).  The  TACACS+  authentication  service  can 
also  send  messages  to  user  screens.  For  example,  a  message  could  notify  users  that  their  passwords 
must  be  changed  because  of  the  company's  password  aging  policy. 

•  Authorization — Provides  fine-grained  control  over  user  capabilities  for  the  duration  of  the  user's 
session,  including  but  not  limited  to  setting  autocommands,  access  control,  session  duration,  or 
protocol  support.  You  can  also  enforce  restrictions  on  what  commands  a  user  can  execute  with  the 
TACACS+  authorization  feature. 

•  Accounting — Collects  and  sends  information  used  for  billing,  auditing,  and  reporting  to  the 
TACACS+  daemon.  Network  managers  can  use  the  accounting  facility  to  track  user  activity  for  a 
security  audit  or  to  provide  information  for  user  billing.  Accounting  records  include  user  identities, 
start  and  stop  times,  executed  commands  (such  as  PPP),  number  of  packets,  and  number  of  bytes. 

The  TACACS+  protocol  provides  authentication  between  the  switch  and  the  TACACS+  daemon,  and  it 
ensures  confidentiality  because  all  protocol  exchanges  between  the  switch  and  the  TACACS+  daemon 
are  encrypted. 

You  need  a  system  running  the  TACACS+  daemon  software  to  use  TACACS+  on  your  switch. 
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TACACS+  Operation 

When  a  user  attempts  a  simple  ASCII  login  by  authenticating  to  a  switch  using  TACACS+,  this  process 
occurs: 

1.  When  the  connection  is  established,  the  switch  contacts  the  TACACS+  daemon  to  obtain  a  username 
prompt  to  show  to  the  user.  The  user  enters  a  username,  and  the  switch  then  contacts  the  TACACS+ 
daemon  to  obtain  a  password  prompt.  The  switch  displays  the  password  prompt  to  the  user,  the  user 
enters  a  password,  and  the  password  is  then  sent  to  the  TACACS+  daemon. 

TACACS+  allows  a  dialog  between  the  daemon  and  the  user  until  the  daemon  receives  enough 
information  to  authenticate  the  user.  The  daemon  prompts  for  a  username  and  password 
combination,  but  can  include  other  items,  such  as  the  user's  mother's  maiden  name. 

2.  The  switch  eventually  receives  one  of  these  responses  from  the  TACACS+  daemon: 

•  ACCEPT — The  user  is  authenticated  and  service  can  begin.  If  the  switch  is  configured  to 
require  authorization,  authorization  begins  at  this  time. 

•  REIECT — The  user  is  not  authenticated.  The  user  can  be  denied  access  or  is  prompted  to  retry 
the  login  sequence,  depending  on  the  TACACS+  daemon. 

•  ERROR — An  error  occurred  at  some  time  during  authentication  with  the  daemon  or  in  the 
network  connection  between  the  daemon  and  the  switch.  If  an  ERROR  response  is  received,  the 
switch  typically  tries  to  use  an  alternative  method  for  authenticating  the  user. 

•  CONTINUE — The  user  is  prompted  for  additional  authentication  information. 

After  authentication,  the  user  undergoes  an  additional  authorization  phase  if  authorization  has  been 
enabled  on  the  switch.  Users  must  first  successfully  complete  TACACS+  authentication  before 
proceeding  to  TACACS+  authorization. 

3.  If  TACACS+  authorization  is  required,  the  TACACS+  daemon  is  again  contacted,  and  it  returns  an 
ACCEPT  or  REJECT  authorization  response.  If  an  ACCEPT  response  is  returned,  the  response 
contains  data  in  the  form  of  attributes  that  direct  the  EXEC  or  NETWORK  session  for  that  user  and 
the  services  that  the  user  can  access: 

•  Telnet,  Secure  Shell  (SSH),  rlogin,  or  privileged  EXEC  services 

•  Connection  parameters,  including  the  host  or  client  IP  address,  access  list,  and  user  timeouts 

Configuring  TACACS+ 

This  section  describes  how  to  configure  your  switch  to  support  TACACS+.  At  a  minimum,  you  must 
identify  the  host  or  hosts  maintaining  the  TACACS+  daemon  and  define  the  method  lists  for  TACACS+ 
authentication.  You  can  optionally  define  method  lists  for  TACACS+  authorization  and  accounting.  A 
method  list  defines  the  sequence  and  methods  to  be  used  to  authenticate,  to  authorize,  or  to  keep  accounts 
on  a  user.  You  can  use  method  lists  to  designate  one  or  more  security  protocols  to  be  used,  thus  ensuring 
a  backup  system  if  the  initial  method  fails.  The  software  uses  the  first  method  listed  to  authenticate,  to 
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authorize,  or  to  keep  accounts  on  users;  if  that  method  does  not  respond,  the  software  selects  the  next 
method  in  the  list.  This  process  continues  until  there  is  successful  communication  with  a  listed  method 
or  the  method  list  is  exhausted. 

These  sections  contain  this  configuration  information: 

•  Default  TACACS+  Configuration,  page  5-13 

•  Identifying  the  TACACS+  Server  Host  and  Setting  the  Authentication  Key,  page  5-13 

•  Configuring  TACACS+  Login  Authentication,  page  5-14 

•  Configuring  TACACS+  Authorization  for  Privileged  EXEC  Access  and  Network  Services,  page 
5-16 

•  Starting  TACACS+  Accounting,  page  5-17 


Default  TACACS+  Configuration 

TACACS+  and  AAA  are  disabled  by  default. 

To  prevent  a  lapse  in  security,  you  cannot  configure  TACACS+  through  a  network  management 
application.  When  enabled,  TACACS+  can  authenticate  users  accessing  the  switch  through  the  CLI. 

N   

Note      Although  TACACS+  configuration  is  performed  through  the  CLI,  the  TACACS+  server  authenticates 
HTTP  connections  that  have  been  configured  with  a  privilege  level  of  15. 


Identifying  the  TACACS+  Server  Host  and  Setting  the  Authentication  Key 

You  can  configure  the  switch  to  use  a  single  server  or  AAA  server  groups  to  group  existing  server  hosts 
for  authentication.  You  can  group  servers  to  select  a  subset  of  the  configured  server  hosts  and  use  them 
for  a  particular  service.  The  server  group  is  used  with  a  global  server-host  list  and  contains  the  list  of  IP 
addresses  of  the  selected  server  hosts. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  identify  the  IP  host  or  host  maintaining 
TACACS+  server  and  optionally  set  the  encryption  key: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

tacacs-server  host  hostname  [port 

integer]  [timeout  integer]  [key  string] 

Identify  the  IP  host  or  hosts  maintaining  a  TACACS+  server.  Enter  this 
command  multiple  times  to  create  a  list  of  preferred  hosts.  The  software 
searches  for  hosts  in  the  order  in  which  you  specify  them. 

•  For  hostname,  specify  the  name  or  IP  address  of  the  host. 

•  (Optional)  For  port  integer,  specify  a  server  port  number.  The  default 
is  port  49.  The  range  is  1  to  65535. 

•  (Optional)  For  timeout  integer,  specify  a  time  in  seconds  the  switch 
waits  for  a  response  from  the  daemon  before  it  times  out  and  declares 
an  error.  The  default  is  5  seconds.  The  range  is  1  to  1000  seconds. 

•  (Optional)  For  key  string,  specify  the  encryption  key  for  encrypting 
and  decrypting  all  traffic  between  the  switch  and  the  TACACS+ 
daemon.  You  must  configure  the  same  key  on  the  TACACS+  daemon 
for  encryption  to  be  successful. 
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Step  3 
Step  4 


Step  6 
Step  7 
Step  8 


Command 

Purpose 

aaa  new-model 

Enable  AAA. 

aaa  group  server  tacacs+  group-name 

(Optional)  Define  the  AAA  server-group  with  a  group  name. 

This  command  puts  the  switch  in  a  server  group  subconfiguration  mode. 

server  ip-address 

(Optional)  Associate  a  particular  TACACS+  server  with  the  defined 
server  group.  Repeat  this  step  for  each  TACACS+  server  in  the  AAA 
server  group. 

Each  server  in  the  group  must  be  previously  defined  in  Step  2. 

end 

Return  to  privileged  EXEC  mode. 

show  tacacs 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  the  specified  TACACS+  server  name  or  address,  use  the  no  tacacs-server  host  hostname 
global  configuration  command.  To  remove  a  server  group  from  the  configuration  list,  use  the  no  aaa 
group  server  tacacs+  group-name  global  configuration  command.  To  remove  the  IP  address  of  a 
TACACS+  server,  use  the  no  server  ip-address  server  group  subconfiguration  command. 


Configuring  TACACS+  Login  Authentication 

To  configure  AAA  authentication,  you  define  a  named  list  of  authentication  methods  and  then  apply  that 
list  to  various  ports.  The  method  list  defines  the  types  of  authentication  to  be  performed  and  the  sequence 
in  which  they  are  performed;  it  must  be  applied  to  a  specific  port  before  any  of  the  defined  authentication 
methods  are  performed.  The  only  exception  is  the  default  method  list  (which,  by  coincidence,  is  named 
default).  The  default  method  list  is  automatically  applied  to  all  ports  except  those  that  have  a  named 
method  list  explicitly  defined.  A  defined  method  list  overrides  the  default  method  list. 

A  method  list  describes  the  sequence  and  authentication  methods  to  be  queried  to  authenticate  a  user. 
You  can  designate  one  or  more  security  protocols  to  be  used  for  authentication,  thus  ensuring  a  backup 
system  for  authentication  in  case  the  initial  method  fails.  The  software  uses  the  first  method  listed  to 
authenticate  users;  if  that  method  fails  to  respond,  the  software  selects  the  next  authentication  method 
in  the  method  list.  This  process  continues  until  there  is  successful  communication  with  a  listed 
authentication  method  or  until  all  defined  methods  are  exhausted.  If  authentication  fails  at  any  point  in 
this  cycle — meaning  that  the  security  server  or  local  username  database  responds  by  denying  the  user 
access — the  authentication  process  stops,  and  no  other  authentication  methods  are  attempted. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  login  authentication: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

aaa  new-model 

Enable  AAA. 
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Command 


Purpose 


Step  3     aaa  authentication  login  { default 

list-name}  method  1  [method2...] 


Step  4 


line  [console  I  tty  I  vty]  line-number 
[ending-line-number] 


Create  a  login  authentication  method  list. 

•  To  create  a  default  list  that  is  used  when  a  named  list  is  not  specified 
in  the  login  authentication  command,  use  the  default  keyword 
followed  by  the  methods  that  are  to  be  used  in  default  situations.  The 
default  method  list  is  automatically  applied  to  all  ports. 

•  For  list-name,  specify  a  character  string  to  name  the  list  you  are 
creating. 

•  For  methodl...,  specify  the  actual  method  the  authentication 
algorithm  tries.  The  additional  methods  of  authentication  are  used 
only  if  the  previous  method  returns  an  error,  not  if  it  fails. 

Select  one  of  these  methods: 

•  enable — Use  the  enable  password  for  authentication.  Before  you  can 
use  this  authentication  method,  you  must  define  an  enable  password 
by  using  the  enable  password  global  configuration  command. 

•  group  tacacs+ — Uses  TACACS+  authentication.  Before  you  can  use 
this  authentication  method,  you  must  configure  the  TACACS+ 
server.  For  more  information,  see  the  "Identifying  the  TACACS+ 
Server  Host  and  Setting  the  Authentication  Key"  section  on 

page  5-13. 

•  line — Use  the  line  password  for  authentication.  Before  you  can  use 
this  authentication  method,  you  must  define  a  line  password.  Use  the 
password  password  line  configuration  command. 

•  local — Use  the  local  username  database  for  authentication.  You  must 
enter  username  information  in  the  database.  Use  the  username 
password  global  configuration  command. 

•  local-case — Use  a  case-sensitive  local  username  database  for 
authentication.  You  must  enter  username  information  in  the  database 
by  using  the  username  name  password  global  configuration 
command. 

•  none — Do  not  use  any  authentication  for  login. 

Enter  line  configuration  mode,  and  configure  the  lines  to  which  you  want 
to  apply  the  authentication  list. 


Step  5     login  authentication  {default  I 

list-name  j 


Apply  the  authentication  list  to  a  line  or  set  of  lines. 

•  If  you  specify  default,  use  the  default  list  created  with  the  aaa 
authentication  login  command. 

•  For  list-name,  specify  the  list  created  with  the  aaa  authentication 
login  command. 


Step  6 
Step  7 


end 

show  running-config 


Return  to  privileged  EXEC  mode. 
Verify  your  entries. 


Step  8     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 
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To  disable  AAA,  use  the  no  aaa  new-model  global  configuration  command.  To  disable  AAA 
authentication,  use  the  no  aaa  authentication  login  {default  I  list-name]  methodl  [method2...]  global 
configuration  command.  To  either  disable  TACACS+  authentication  for  logins  or  to  return  to  the  default 
value,  use  the  no  login  authentication  {default  I  list-name]  line  configuration  command. 

X   

Note  To  secure  the  switch  for  HTTP  access  by  using  AAA  methods,  you  must  configure  the  switch  with  the 
ip  http  authentication  aaa  global  configuration  command.  Configuring  AAA  authentication  does  not 
secure  the  switch  for  HTTP  access  by  using  AAA  methods. 

For  more  information  about  the  ip  http  authentication  command,  see  the  Cisco  IOS  Security  Command 
Reference,  Release  12.2. 


Configuring  TACACS+  Authorization  for  Privileged  EXEC  Access  and  Network  Services 

AAA  authorization  limits  the  services  available  to  a  user.  When  AAA  authorization  is  enabled,  the 
switch  uses  information  retrieved  from  the  user's  profile,  which  is  located  either  in  the  local  user 
database  or  on  the  security  server,  to  configure  the  user's  session.  The  user  is  granted  access  to  a 
requested  service  only  if  the  information  in  the  user  profile  allows  it. 

You  can  use  the  aaa  authorization  global  configuration  command  with  the  tacacs+  keyword  to  set 
parameters  that  restrict  a  user's  network  access  to  privileged  EXEC  mode. 

The  aaa  authorization  exec  tacacs+  local  command  sets  these  authorization  parameters: 

•  Use  TACACS+  for  privileged  EXEC  access  authorization  if  authentication  was  performed  by  using 
TACACS+. 

•  Use  the  local  database  if  authentication  was  not  performed  by  using  TACACS+. 

X   

Note      Authorization  is  bypassed  for  authenticated  users  who  log  in  through  the  CLI  even  if  authorization  has 
been  configured. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  specify  TACACS+  authorization  for 
privileged  EXEC  access  and  network  services: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

aaa  authorization  network  tacacs+ 

Configure  the  switch  for  user  TACACS+  authorization  for  all 
network-related  service  requests. 

aaa  authorization  exec  tacacs+ 

Configure  the  switch  for  user  TACACS+  authorization  if  the  user  has 
privileged  EXEC  access. 

The  exec  keyword  might  return  user  profile  information  (such  as 
autocommand  information). 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  4 
Step  5 
Step  6 


To  disable  authorization,  use  the  no  aaa  authorization  { network  I  exec }  methodl  global  configuration 
command. 
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Starting  TACACS+  Accounting 

The  AAA  accounting  feature  tracks  the  services  that  users  are  accessing  and  the  amount  of  network 
resources  that  they  are  consuming.  When  AAA  accounting  is  enabled,  the  switch  reports  user  activity  to 
the  TACACS+  security  server  in  the  form  of  accounting  records.  Each  accounting  record  contains 
accounting  attribute-value  (AV)  pairs  and  is  stored  on  the  security  server.  This  data  can  then  be  analyzed 
for  network  management,  client  billing,  or  auditing. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  TACACS+  accounting  for  each  Cisco 
IOS  privilege  level  and  for  network  services: 


Step  1 
Step  2 

Step  3 

Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

aaa  accounting  network  start-stop 
tacacs+ 

Enable  TACACS+  accounting  for  all  network-related  service  requests. 

aaa  accounting  exec  start-stop  tacacs+ 

Enable  TACACS+  accounting  to  send  a  start-record  accounting  notice 
at  the  beginning  of  a  privileged  EXEC  process  and  a  stop-record  at  the 
end. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  accounting,  use  the  no  aaa  accounting  {network  I  exec}  {start-stop}  methodl...  global 
configuration  command. 


Displaying  the  TACACS+  Configuration 

To  display  TACACS+  server  statistics,  use  the  show  tacacs  privileged  EXEC  command. 

Controlling  Switch  Access  with  RADIUS 

This  section  describes  how  to  enable  and  configure  the  RADIUS,  which  provides  detailed  accounting 
information  and  flexible  administrative  control  over  authentication  and  authorization  processes. 
RADIUS  is  facilitated  through  AAA  and  can  be  enabled  only  through  AAA  commands. 

V   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  Cisco  IOS 
Security  Command  Reference,  Release  12.2. 

These  sections  contain  this  configuration  information: 

•  Understanding  RADIUS ,  page  5-18 

•  RADIUS  Operation,  page  5-19 

•  Configuring  RADIUS,  page  5-19 

•  Displaying  the  RADIUS  Configuration,  page  5-31 
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Understanding  RADIUS 

RADIUS  is  a  distributed  client/server  system  that  secures  networks  against  unauthorized  access. 
RADIUS  clients  run  on  supported  Cisco  routers  and  switches.  Clients  send  authentication  requests  to  a 
central  RADIUS  server,  which  contains  all  user  authentication  and  network  service  access  information. 
The  RADIUS  host  is  normally  a  multiuser  system  running  RADIUS  server  software  from  Cisco  (Cisco 
Secure  Access  Control  Server  Version  3.0),  Livingston,  Merit,  Microsoft,  or  another  software  provider. 
For  more  information,  see  the  RADIUS  server  documentation. 

Use  RADIUS  in  these  network  environments  that  require  access  security: 

•  Networks  with  multiple-vendor  access  servers,  each  supporting  RADIUS.  For  example,  access 
servers  from  several  vendors  use  a  single  RADIUS  server-based  security  database.  In  an  IP-based 
network  with  multiple  vendors'  access  servers,  dial-in  users  are  authenticated  through  a  RADIUS 
server  that  has  been  customized  to  work  with  the  Kerberos  security  system. 

•  Turnkey  network  security  environments  in  which  applications  support  the  RADIUS  protocol,  such 
as  in  an  access  environment  that  uses  a  smart  card  access  control  system.  In  one  case,  RADIUS  has 
been  used  with  Enigma's  security  cards  to  validates  users  and  to  grant  access  to  network  resources. 

•  Networks  already  using  RADIUS.  You  can  add  a  Cisco  switch  containing  a  RADIUS  client  to  the 
network.  This  might  be  the  first  step  when  you  make  a  transition  to  a  TACACS+  server.  See 
Figure  5-2  on  page  5-19. 

•  Network  in  which  the  user  must  only  access  a  single  service.  Using  RADIUS,  you  can  control  user 
access  to  a  single  host,  to  a  single  utility  such  as  Telnet,  or  to  the  network  through  a  protocol  such 
as  IEEE  802.  lx.  For  more  information  about  this  protocol,  see  Chapter  6,  "Configuring  IEEE  802.  lx 
Port-Based  Authentication." 

•  Networks  that  require  resource  accounting.  You  can  use  RADIUS  accounting  independently  of 
RADIUS  authentication  or  authorization.  The  RADIUS  accounting  functions  allow  data  to  be  sent 
at  the  start  and  end  of  services,  showing  the  amount  of  resources  (such  as  time,  packets,  bytes,  and 
so  forth)  used  during  the  session.  An  Internet  service  provider  might  use  a  freeware-based  version 
of  RADIUS  access  control  and  accounting  software  to  meet  special  security  and  billing  needs. 

RADIUS  is  not  suitable  in  these  network  security  situations: 

•  Multiprotocol  access  environments.  RADIUS  does  not  support  AppleTalk  Remote  Access  (ARA), 
NetBIOS  Frame  Control  Protocol  (NBFCP),  NetWare  Asynchronous  Services  Interface  (NASI),  or 
X.25  PAD  connections. 

•  Switch-to-switch  or  router-to-router  situations.  RADIUS  does  not  provide  two-way  authentication. 
RADIUS  can  be  used  to  authenticate  from  one  device  to  a  non-Cisco  device  if  the  non-Cisco  device 
requires  authentication. 

•  Networks  using  a  variety  of  services.  RADIUS  generally  binds  a  user  to  one  service  model. 
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Figure  5-2 


Transitioning  from  RADIUS  to  TACACS+  Services 
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RADIUS  Operation 

When  a  user  attempts  to  log  in  and  authenticate  to  a  switch  that  is  access  controlled  by  a  RADIUS  server, 
these  events  occur: 

1.  The  user  is  prompted  to  enter  a  username  and  password. 

2.  The  username  and  encrypted  password  are  sent  over  the  network  to  the  RADIUS  server. 

3.  The  user  receives  one  of  these  responses  from  the  RADIUS  server: 

a.  ACCEPT — The  user  is  authenticated. 

b.  REJECT — The  user  is  either  not  authenticated  and  is  prompted  to  re-enter  the  username  and 
password,  or  access  is  denied. 

c.  CHALLENGE — A  challenge  requires  additional  data  from  the  user. 

d.  CHALLENGE  PASSWORD — A  response  requests  the  user  to  select  a  new  password. 

The  ACCEPT  or  REJECT  response  is  bundled  with  additional  data  that  is  used  for  privileged  EXEC  or 
network  authorization.  Users  must  first  successfully  complete  RADIUS  authentication  before 
proceeding  to  RADIUS  authorization,  if  it  is  enabled.  The  additional  data  included  with  the  ACCEPT  or 
REJECT  packets  includes  these  items: 

•  Telnet,  SSH,  rlogin,  or  privileged  EXEC  services 

•  Connection  parameters,  including  the  host  or  client  IP  address,  access  list,  and  user  timeouts 


Configuring  RADIUS 

This  section  describes  how  to  configure  your  switch  to  support  RADIUS.  At  a  minimum,  you  must 
identify  the  host  or  hosts  that  run  the  RADIUS  server  software  and  define  the  method  lists  for  RADIUS 
authentication.  You  can  optionally  define  method  lists  for  RADIUS  authorization  and  accounting. 

A  method  list  defines  the  sequence  and  methods  to  be  used  to  authenticate,  to  authorize,  or  to  keep 
accounts  on  a  user.  You  can  use  method  lists  to  designate  one  or  more  security  protocols  to  be  used  (such 
as  TACACS+  or  local  username  lookup),  thus  ensuring  a  backup  system  if  the  initial  method  fails.  The 
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software  uses  the  first  method  listed  to  authenticate,  to  authorize,  or  to  keep  accounts  on  users;  if  that 
method  does  not  respond,  the  software  selects  the  next  method  in  the  list.  This  process  continues  until 
there  is  successful  communication  with  a  listed  method  or  the  method  list  is  exhausted. 

You  should  have  access  to  and  should  configure  a  RADIUS  server  before  configuring  RADIUS  features 
on  your  switch. 

These  sections  contain  this  configuration  information: 

•  Default  RADIUS  Configuration,  page  5-20 

•  Identifying  the  RADIUS  Server  Host,  page  5-20  (required) 

•  Configuring  RADIUS  Login  Authentication,  page  5-23  (required) 

•  Defining  AAA  Server  Groups,  page  5-25  (optional) 

•  Configuring  RADIUS  Authorization  for  User  Privileged  Access  and  Network  Services,  page  5-27 
(optional) 

•  Starting  RADIUS  Accounting,  page  5-28  (optional) 

•  Configuring  Settings  for  All  RADIUS  Servers,  page  5-29  (optional) 

•  Configuring  the  Switch  to  Use  Vendor-Specific  RADIUS  Attributes,  page  5-29  (optional) 

•  Configuring  the  Switch  for  Vendor- Proprietary  RADIUS  Server  Communication,  page  5-31 
(optional) 

Default  RADIUS  Configuration 

RADIUS  and  AAA  are  disabled  by  default. 

To  prevent  a  lapse  in  security,  you  cannot  configure  RADIUS  through  a  network  management 
application.  When  enabled,  RADIUS  can  authenticate  users  accessing  the  switch  through  the  CLI. 

Identifying  the  RADIUS  Server  Host 

Switch-to-RADIUS-server  communication  involves  several  components: 

•  Hostname  or  IP  address 

•  Authentication  destination  port 

•  Accounting  destination  port 

•  Key  string 

•  Timeout  period 

•  Retransmission  value 

You  identify  RADIUS  security  servers  by  their  hostname  or  IP  address,  hostname  and  specific  UDP  port 
numbers,  or  their  IP  address  and  specific  UDP  port  numbers.  The  combination  of  the  IP  address  and  the 
UDP  port  number  creates  a  unique  identifier,  allowing  different  ports  to  be  individually  defined  as 
RADIUS  hosts  providing  a  specific  AAA  service.  This  unique  identifier  enables  RADIUS  requests  to  be 
sent  to  multiple  UDP  ports  on  a  server  at  the  same  IP  address. 

If  two  different  host  entries  on  the  same  RADIUS  server  are  configured  for  the  same  service — for 
example,  accounting — the  second  host  entry  configured  acts  as  a  fail-over  backup  to  the  first  one.  Using 
this  example,  if  the  first  host  entry  fails  to  provide  accounting  services,  the  %radius-4-radius_dead 
message  appears,  and  then  the  switch  tries  the  second  host  entry  configured  on  the  same  device  for 
accounting  services.  (The  RADIUS  host  entries  are  tried  in  the  order  that  they  are  configured.) 
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A  RADIUS  server  and  the  switch  use  a  shared  secret  text  string  to  encrypt  passwords  and  exchange 
responses.  To  configure  RADIUS  to  use  the  AAA  security  commands,  you  must  specify  the  host  running 
the  RADIUS  server  daemon  and  a  secret  text  (key)  string  that  it  shares  with  the  switch. 

The  timeout,  retransmission,  and  encryption  key  values  can  be  configured  globally  for  all  RADIUS 
servers,  on  a  per-server  basis,  or  in  some  combination  of  global  and  per-server  settings.  To  apply  these 
settings  globally  to  all  RADIUS  servers  communicating  with  the  switch,  use  the  three  unique  global 
configuration  commands:  radius-server  timeout,  radius-server  retransmit,  and  radius-server  key. 
To  apply  these  values  on  a  specific  RADIUS  server,  use  the  radius-server  host  global  configuration 
command. 

X   

Note      If  you  configure  both  global  and  per-server  functions  (timeout,  retransmission,  and  key  commands)  on 
the  switch,  the  per-server  timer,  retransmission,  and  key  value  commands  override  global  timer, 
retransmission,  and  key  value  commands.  For  information  on  configuring  these  settings  on  all  RADIUS 
servers,  see  the  "Configuring  Settings  for  All  RADIUS  Servers"  section  on  page  5-29. 


You  can  configure  the  switch  to  use  AAA  server  groups  to  group  existing  server  hosts  for  authentication. 
For  more  information,  see  the  "Defining  AAA  Server  Groups"  section  on  page  5-25. 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


5-21 


■    Controlling  Switch  Access  with  RADIUS 


Chapters     Configuring  Switch-Based  Authentication  | 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  per-server  RADIUS  server 
communication.  This  procedure  is  required. 


Command 


Purpose 


Step  1 
Step  2 


configure  terminal 


Enter  global  configuration  mode. 


radius-server  host  {hostname  I 
ip-address)  [auth-port port-number] 
[acct-port  port-number]  [timeout 
seconds]  [retransmit  retries]  [key 
string] 


Step  3 
Step  4 


end 


Specify  the  IP  address  or  hostname  of  the  remote  RADIUS  server  host. 

•  (Optional)  For  auth-port  port-number,  specify  the  UDP  destination 
port  for  authentication  requests. 

•  (Optional)  For  acct-port  port-number,  specify  the  UDP  destination 
port  for  accounting  requests. 

•  (Optional)  For  timeout  seconds,  specify  the  time  interval  that  the 
switch  waits  for  the  RADIUS  server  to  reply  before  resending.  The 
range  is  1  to  1000.  This  setting  overrides  the  radius-server  timeout 
global  configuration  command  setting.  If  no  timeout  is  set  with  the 
radius-server  host  command,  the  setting  of  the  radius-server 
timeout  command  is  used. 

•  (Optional)  For  retransmit  retries,  specify  the  number  of  times  a 
RADIUS  request  is  resent  to  a  server  if  that  server  is  not  responding 
or  responding  slowly.  The  range  is  1  to  1000.  If  no  retransmit  value 
is  set  with  the  radius-server  host  command,  the  setting  of  the 
radius-server  retransmit  global  configuration  command  is  used. 

•  (Optional)  For  key  string,  specify  the  authentication  and  encryption 
key  used  between  the  switch  and  the  RADIUS  daemon  running  on  the 
RADIUS  server. 

Note     The  key  is  a  text  string  that  must  match  the  encryption  key  used 
on  the  RADIUS  server.  Always  configure  the  key  as  the  last  item 
in  the  radius-server  host  command.  Leading  spaces  are  ignored, 
but  spaces  within  and  at  the  end  of  the  key  are  used.  If  you  use 
spaces  in  your  key,  do  not  enclose  the  key  in  quotation  marks 
unless  the  quotation  marks  are  part  of  the  key. 

To  configure  the  switch  to  recognize  more  than  one  host  entry  associated 
with  a  single  IP  address,  enter  this  command  as  many  times  as  necessary, 
making  sure  that  each  UDP  port  number  is  different.  The  switch  software 
searches  for  hosts  in  the  order  in  which  you  specify  them.  Set  the  timeout, 
retransmit,  and  encryption  key  values  to  use  with  the  specific  RADIUS 
host. 

Return  to  privileged  EXEC  mode. 


show  running-config 


Verify  your  entries. 


Step  5     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 
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To  remove  the  specified  RADIUS  server,  use  the  no  radius-server  host  hostname  I  ip-address  global 
configuration  command. 

This  example  shows  how  to  configure  one  RADIUS  server  to  be  used  for  authentication  and  another  to 
be  used  for  accounting: 

Switch (config) #  radius-server  host  172.29.36.49  auth-port  6403  key  radl 
Switch (config) #  radius-server  host  172.20.36.50  acct-port  6403  key  rad2 

This  example  shows  how  to  configure  hostl  as  the  RADIUS  server  and  to  use  the  default  ports  for  both 
authentication  and  accounting: 

Switch (config) #  radius-server  host  hostl 


Note      You  also  need  to  configure  some  settings  on  the  RADIUS  server.  These  settings  include  the  IP  address 
of  the  switch  and  the  key  string  to  be  shared  by  both  the  server  and  the  switch.  For  more  information, 
see  the  RADIUS  server  documentation. 


Configuring  RADIUS  Login  Authentication 

To  configure  AAA  authentication,  you  define  a  named  list  of  authentication  methods  and  then  apply  that 
list  to  various  ports.  The  method  list  defines  the  types  of  authentication  to  be  performed  and  the  sequence 
in  which  they  are  performed;  it  must  be  applied  to  a  specific  port  before  any  of  the  defined  authentication 
methods  are  performed.  The  only  exception  is  the  default  method  list  (which,  by  coincidence,  is  named 
default).  The  default  method  list  is  automatically  applied  to  all  ports  except  those  that  have  a  named 
method  list  explicitly  defined. 

A  method  list  describes  the  sequence  and  authentication  methods  to  be  queried  to  authenticate  a  user. 
You  can  designate  one  or  more  security  protocols  to  be  used  for  authentication,  thus  ensuring  a  backup 
system  for  authentication  in  case  the  initial  method  fails.  The  software  uses  the  first  method  listed  to 
authenticate  users;  if  that  method  fails  to  respond,  the  software  selects  the  next  authentication  method 
in  the  method  list.  This  process  continues  until  there  is  successful  communication  with  a  listed 
authentication  method  or  until  all  defined  methods  are  exhausted.  If  authentication  fails  at  any  point  in 
this  cycle — meaning  that  the  security  server  or  local  username  database  responds  by  denying  the  user 
access — the  authentication  process  stops,  and  no  other  authentication  methods  are  attempted. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  login  authentication.  This 


procedure  is  required. 

Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

aaa  new-model 

Enable  AAA. 
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Command 

Purpose 

Step  3 

aaa  authentication  login  {default  1 

list-name}  method  1  [method2...] 

Create  a  login  authentication  method  list. 

•  To  create  a  default  list  that  is  used  when  a  named  list  is  not  specified 
in  the  login  authentication  command,  use  the  default  keyword 
followed  by  the  methods  that  are  to  be  used  in  default  situations.  The 
default  method  list  is  automatically  applied  to  all  ports. 

•  For  list-name,  specify  a  character  string  to  name  the  list  you  are 
creating. 

•  For  methodl...,  specify  the  actual  method  the  authentication 
algorithm  tries.  The  additional  methods  of  authentication  are  used 
only  if  the  previous  method  returns  an  error,  not  if  it  fails. 

Select  one  of  these  methods: 

-  enable — Use  the  enable  password  for  authentication.  Before  you 
can  use  this  authentication  method,  you  must  define  an  enable 
password  by  using  the  enable  password  global  configuration 
command. 

-  group  radius — Use  RADIUS  authentication.  Before  you  can  use 
this  authentication  method,  you  must  configure  the  RADIUS 
server.  For  more  information,  see  the  "Identifying  the  RADIUS 
Server  Host"  section  on  page  5-20. 

-  line — Use  the  line  password  for  authentication.  Before  you  can 
use  this  authentication  method,  you  must  define  a  line  password. 
Use  the  password  password  line  configuration  command. 

-  local — Use  the  local  username  database  for  authentication.  You 
must  enter  username  information  in  the  database.  Use  the 
username  name  password  global  configuration  command. 

-  local-case — Use  a  case-sensitive  local  username  database  for 
authentication.  You  must  enter  username  information  in  the 
database  by  using  the  username  password  global  configuration 
command. 

-  none — Do  not  use  any  authentication  for  login. 

Step  4 

line  [console  1  tty  1  vty]  line-number 
[ending-line-number] 

Enter  line  configuration  mode,  and  configure  the  lines  to  which  you  want 
to  apply  the  authentication  list. 

Step  5 

login  authentication  {default  1 

Apply  the  authentication  list  to  a  line  or  set  of  lines. 

list-name) 

•  If  you  specify  default,  use  the  default  list  created  with  the  aaa 
authentication  login  command. 

•  For  list-name,  specify  the  list  created  with  the  aaa  authentication 
login  command. 

Step  6 

end 

Return  to  privileged  EXEC  mode. 

Step  7 

show  running-config 

Verify  your  entries. 

Step  8 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  disable  AAA,  use  the  no  aaa  new-model  global  configuration  command.  To  disable  AAA 
authentication,  use  the  no  aaa  authentication  login  {default  I  list-name]  methodl  [method2...]  global 
configuration  command.  To  either  disable  RADIUS  authentication  for  logins  or  to  return  to  the  default 
value,  use  the  no  login  authentication  {default  I  list-name)  line  configuration  command. 


Note  To  secure  the  switch  for  HTTP  access  by  using  AAA  methods,  you  must  configure  the  switch  with  the 
ip  http  authentication  aaa  global  configuration  command.  Configuring  AAA  authentication  does  not 
secure  the  switch  for  HTTP  access  by  using  AAA  methods. 

For  more  information  about  the  ip  http  authentication  command,  see  the  Cisco  IOS  Security  Command 
Reference,  Release  12.2. 


Defining  AAA  Server  Groups 

You  can  configure  the  switch  to  use  AAA  server  groups  to  group  existing  server  hosts  for  authentication. 
You  select  a  subset  of  the  configured  server  hosts  and  use  them  for  a  particular  service.  The  server  group 
is  used  with  a  global  server-host  list,  which  lists  the  IP  addresses  of  the  selected  server  hosts. 

Server  groups  also  can  include  multiple  host  entries  for  the  same  server  if  each  entry  has  a  unique 
identifier  (the  combination  of  the  IP  address  and  UDP  port  number),  allowing  different  ports  to  be 
individually  defined  as  RADIUS  hosts  providing  a  specific  AAA  service.  If  you  configure  two  different 
host  entries  on  the  same  RADIUS  server  for  the  same  service,  (for  example,  accounting),  the  second 
configured  host  entry  acts  as  a  fail-over  backup  to  the  first  one. 

You  use  the  server  group  server  configuration  command  to  associate  a  particular  server  with  a  defined 
group  server.  You  can  either  identify  the  server  by  its  IP  address  or  identify  multiple  host  instances  or 
entries  by  using  the  optional  auth-port  and  acct-port  keywords. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  define  the  AAA  server  group  and  associate 
a  particular  RADIUS  server  with  it: 


Command 


Purpose 


Step  1 
Step  2 


configure  terminal 


Enter  global  configuration  mode. 


radius-server  host  {hostname  I 
ip-address)  [auth-port port-number] 
[acct-port  port-number]  [timeout 
seconds]  [retransmit  retries]  [key 
string] 


Step  3     aaa  new-model 


Specify  the  IP  address  or  hostname  of  the  remote  RADIUS  server  host. 

•  (Optional)  For  auth-port  port-number,  specify  the  UDP  destination 
port  for  authentication  requests. 

•  (Optional)  For  acct-port  port-number,  specify  the  UDP  destination 
port  for  accounting  requests. 

•  (Optional)  For  timeout  seconds,  specify  the  time  interval  that  the 
switch  waits  for  the  RADIUS  server  to  reply  before  resending.  The 
range  is  1  to  1000.  This  setting  overrides  the  radius-server  timeout 
global  configuration  command  setting.  If  no  timeout  is  set  with  the 
radius-server  host  command,  the  setting  of  the  radius-server 
timeout  command  is  used. 

•  (Optional)  For  retransmit  retries,  specify  the  number  of  times  a 
RADIUS  request  is  resent  to  a  server  if  that  server  is  not  responding 
or  responding  slowly.  The  range  is  1  to  1000.  If  no  retransmit  value 
is  set  with  the  radius-server  host  command,  the  setting  of  the 
radius-server  retransmit  global  configuration  command  is  used. 

•  (Optional)  For  key  string,  specify  the  authentication  and  encryption 
key  used  between  the  switch  and  the  RADIUS  daemon  running  on  the 
RADIUS  server. 

Note     The  key  is  a  text  string  that  must  match  the  encryption  key  used 
on  the  RADIUS  server.  Always  configure  the  key  as  the  last  item 
in  the  radius-server  host  command.  Leading  spaces  are  ignored, 
but  spaces  within  and  at  the  end  of  the  key  are  used.  If  you  use 
spaces  in  your  key,  do  not  enclose  the  key  in  quotation  marks 
unless  the  quotation  marks  are  part  of  the  key. 

To  configure  the  switch  to  recognize  more  than  one  host  entry  associated 
with  a  single  IP  address,  enter  this  command  as  many  times  as  necessary, 
making  sure  that  each  UDP  port  number  is  different.  The  switch  software 
searches  for  hosts  in  the  order  in  which  you  specify  them.  Set  the  timeout, 
retransmit,  and  encryption  key  values  to  use  with  the  specific  RADIUS 
host. 

Enable  AAA. 


Step  4     aaa  group  server  radius  group-name 


Step  5     server  ip-address 


Step  6  end 


Define  the  AAA  server-group  with  a  group  name. 

This  command  puts  the  switch  in  a  server  group  configuration  mode. 

Associate  a  particular  RADIUS  server  with  the  defined  server  group. 
Repeat  this  step  for  each  RADIUS  server  in  the  AAA  server  group. 

Each  server  in  the  group  must  be  previously  defined  in  Step  2. 

Return  to  privileged  EXEC  mode. 


Step  7     show  running-config 


Verify  your  entries. 
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Command 

Purpose 

Step  8 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  9 

Enable  RADIUS  login  authentication.  See  the  "Configuring  RADIUS 
Login  Authentication"  section  on  page  5-23. 

To  remove  the  specified  RADIUS  server,  use  the  no  radius-server  host  hostname  I  ip-address  global 
configuration  command.  To  remove  a  server  group  from  the  configuration  list,  use  the  no  aaa  group 
server  radius  group-name  global  configuration  command.  To  remove  the  IP  address  of  a  RADIUS 
server,  use  the  no  server  ip-address  server  group  configuration  command. 

In  this  example,  the  switch  is  configured  to  recognize  two  different  RADIUS  group  servers  (groupl  and 
group2).  Groupl  has  two  different  host  entries  on  the  same  RADIUS  server  configured  for  the  same 
services.  The  second  host  entry  acts  as  a  fail-over  backup  to  the  first  entry. 

Switch (config) #  radius-server  host  172.20.0.1  auth-port  1000  acct-port  1001 
Switch (config) #  radius-server  host  172.10.0.1  auth-port  1645  acct-port  1646 

Switch (config) #  aaa  new-model 

Switch (config) #  aaa  group  server  radius  groupl 

Switch (conf ig-sg-radius ) #  server  172.20.0.1  auth-port  1000  acct-port  1001 

Switch ( conf ig-sg-radius ) #  exit 

Switch ( conf ig) #  aaa  group  server  radius  group2 

Switch(conf ig-sg-radius) #  server  172.20.0.1  auth-port  2000  acct-port  2001 

Switch ( conf ig-sg-radius ) #  exit 

Configuring  RADIUS  Authorization  for  User  Privileged  Access  and  Network  Services 

AAA  authorization  limits  the  services  available  to  a  user.  When  AAA  authorization  is  enabled,  the 
switch  uses  information  retrieved  from  the  user's  profile,  which  is  in  the  local  user  database  or  on  the 
security  server,  to  configure  the  user's  session.  The  user  is  granted  access  to  a  requested  service  only  if 
the  information  in  the  user  profile  allows  it. 

You  can  use  the  aaa  authorization  global  configuration  command  with  the  radius  keyword  to  set 
parameters  that  restrict  a  user's  network  access  to  privileged  EXEC  mode. 

The  aaa  authorization  exec  radius  local  command  sets  these  authorization  parameters: 

•  Use  RADIUS  for  privileged  EXEC  access  authorization  if  authentication  was  performed  by  using 
RADIUS. 

•  Use  the  local  database  if  authentication  was  not  performed  by  using  RADIUS. 

X   

Note      Authorization  is  bypassed  for  authenticated  users  who  log  in  through  the  CLI  even  if  authorization  has 
been  configured. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  specify  RADIUS  authorization  for  privileged 
EXEC  access  and  network  services: 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

Step  2     aaa  authorization  network  radius 

Configure  the  switch  for  user  RADIUS  authorization  for  all 
network-related  service  requests. 
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Command 

Purpose 

Step  3 

aaa  authorization  exec  radius 

Configure  the  switch  for  user  RADIUS  authorization  if  the  user  has 
privileged  EXEC  access. 

The  exec  keyword  might  return  user  profile  information  (such  as 
autocommand  information). 

Step  4 

end 

Return  to  privileged  EXEC  mode. 

Step  5 

show  running-config 

Verify  your  entries. 

Step  6 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  authorization,  use  the  no  aaa  authorization  { network  I  exec }  methodl  global  configuration 
command. 


Starting  RADIUS  Accounting 

The  AAA  accounting  feature  tracks  the  services  that  users  are  accessing  and  the  amount  of  network 
resources  that  they  are  consuming.  When  AAA  accounting  is  enabled,  the  switch  reports  user  activity  to 
the  RADIUS  security  server  in  the  form  of  accounting  records.  Each  accounting  record  contains 
accounting  attribute-value  (AV)  pairs  and  is  stored  on  the  security  server.  This  data  can  then  be  analyzed 
for  network  management,  client  billing,  or  auditing. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  RADIUS  accounting  for  each  Cisco 
IOS  privilege  level  and  for  network  services: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

aaa  accounting  network  start-stop 
radius 

Enable  RADIUS  accounting  for  all  network-related  service  requests. 

aaa  accounting  exec  start-stop  radius 

Enable  RADIUS  accounting  to  send  a  start-record  accounting  notice  at 
the  beginning  of  a  privileged  EXEC  process  and  a  stop-record  at  the 
end. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  4 


To  disable  accounting,  use  the  no  aaa  accounting  {network  I  exec}  {start-stop}  methodl...  global 
configuration  command. 
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Configuring  Settings  for  All  RADIUS  Servers 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  global  communication  settings 
between  the  switch  and  all  RADIUS  servers: 


Step  1 
Step  2 


Step  3 
Step  4 

Step  5 


Step  6 
Step  7 
Step  8 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

radius-server  key  string 

Specify  the  shared  secret  text  string  used  between  the  switch  and  all 
RADIUS  servers. 

Note     The  key  is  a  text  string  that  must  match  the  encryption  key  used  on 
the  RADIUS  server.  Leading  spaces  are  ignored,  but  spaces  within 
and  at  the  end  of  the  key  are  used.  If  you  use  spaces  in  your  key,  do 
not  enclose  the  key  in  quotation  marks  unless  the  quotation  marks 
are  part  of  the  key. 

radius-server  retransmit  retries 

Specify  the  number  of  times  the  switch  sends  each  RADIUS  request  to  the 
server  before  giving  up.  The  default  is  3;  the  range  1  to  1000. 

radius-server  timeout  seconds 

Specify  the  number  of  seconds  a  switch  waits  for  a  reply  to  a  RADIUS 
request  before  resending  the  request.  The  default  is  5  seconds;  the  range  is 
1  to  1000. 

radius-server  deadtime  minutes 

Specify  the  number  of  minutes  a  RADIUS  server,  which  is  not  responding 
to  authentication  requests,  to  be  skipped,  thus  avoiding  the  wait  for  the 
request  to  timeout  before  trying  the  next  configured  server.  The  default  is 
0;  the  range  is  1  to  1440  minutes. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  settings. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting  for  the  retransmit,  timeout,  and  deadtime,  use  the  no  forms  of  these 
commands. 


Configuring  the  Switch  to  Use  Vendor-Specific  RADIUS  Attributes 

The  Internet  Engineering  Task  Force  (IETF)  draft  standard  specifies  a  method  for  communicating 
vendor-specific  information  between  the  switch  and  the  RADIUS  server  by  using  the  vendor-specific 
attribute  (attribute  26).  Vendor-specific  attributes  (VSAs)  allow  vendors  to  support  their  own  extended 
attributes  not  suitable  for  general  use.  The  Cisco  RADIUS  implementation  supports  one  vendor-specific 
option  by  using  the  format  recommended  in  the  specification.  Cisco's  vendor-ID  is  9,  and  the  supported 
option  has  vendor-type  1,  which  is  named  cisco-avpair.  The  value  is  a  string  with  this  format: 

protocol   :   attribute  sep  value  * 

Protocol  is  a  value  of  the  Cisco  protocol  attribute  for  a  particular  type  of  authorization.  Attribute  and 
value  are  an  appropriate  attribute-value  (AV)  pair  defined  in  the  Cisco  TACACS+  specification,  and  sep 
is  =  for  mandatory  attributes  and  is  *  for  optional  attributes.  The  full  set  of  features  available  for 
TACACS+  authorization  can  then  be  used  for  RADIUS. 

For  example,  this  AV  pair  activates  Cisco's  multiple  named  ip  address  pools  feature  during  IP 
authorization  (during  PPP  IPCP  address  assignment): 

cisco-avpair =  "ip:addr-pool=f irst" 
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This  example  shows  how  to  provide  a  user  logging  in  from  a  switch  with  immediate  access  to  privileged 
EXEC  commands: 

cisco-avpair=  "shell :priv-lvl=15" 

This  example  shows  how  to  specify  an  authorized  VLAN  in  the  RADIUS  server  database: 

cisco-avpair=  "tunnel-type (#64 ) =VLAN( 13 ) " 
cisco-avpair=  "tunnel-medium-type (#65) =802  media(6)" 
cisco- avpair=  "tunnel -private-group- ID (#81 ) =vlanid" 

This  example  shows  how  to  apply  an  input  ACL  in  ASCII  format  to  an  interface  for  the  duration  of  this 
connection: 

cisco-avpair=  "ip : inacl#l=deny  ip  10.10.10.10  0.0.255.255  20.20.20.20  255.255.0.0" 
cisco-avpair=  "ip : inacl#2=deny  ip  10.10.10.10  0.0.255.255  any" 
cisco-avpair=  "mac : inacl#3=deny  any  any  decnet-iv" 

This  example  shows  how  to  apply  an  output  ACL  in  ASCII  format  to  an  interface  for  the  duration  of  this 
connection: 

cisco-avpair=  "ip:outacl#2=deny  ip  10.10.10.10  0.0.255.255  any" 

Other  vendors  have  their  own  unique  vendor-IDs,  options,  and  associated  VSAs.  For  more  information 
about  vendor-IDs  and  VSAs,  see  RFC  2138,  "Remote  Authentication  Dial-In  User  Service  (RADIUS)." 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  to  recognize  and  use 
VSAs: 


Step  1 
Step  2 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

radius-server  vsa  send  [accounting  I 
authentication] 

Enable  the  switch  to  recognize  and  use  VSAs  as  defined  by  RADIUS  IETF 
attribute  26. 

•  (Optional)  Use  the  accounting  keyword  to  limit  the  set  of  recognized 
vendor-specific  attributes  to  only  accounting  attributes. 

•  (Optional)  Use  the  authentication  keyword  to  limit  the  set  of 
recognized  vendor-specific  attributes  to  only  authentication  attributes. 

If  you  enter  this  command  without  keywords,  both  accounting  and 
authentication  vendor-specific  attributes  are  used. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  settings. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  3 
Step  4 
Step  5 


For  a  complete  list  of  RADIUS  attributes  or  more  information  about  vendor-specific  attribute  26,  see  the 
"RADIUS  Attributes"  appendix  in  the  Cisco  IOS  Security  Configuration  Guide,  Release  12.2. 


5-30 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  5    Configuring  Switch-Based  Authentication 


Controlling  Switch  Access  with  RADIUS  ■ 


Configuring  the  Switch  for  Vendor-Proprietary  RADIUS  Server  Communication 

Although  an  IETF  draft  standard  for  RADIUS  specifies  a  method  for  communicating  vendor-proprietary 
information  between  the  switch  and  the  RADIUS  server,  some  vendors  have  extended  the  RADIUS 
attribute  set  in  a  unique  way.  Cisco  IOS  software  supports  a  subset  of  vendor-proprietary  RADIUS 
attributes. 

As  mentioned  earlier,  to  configure  RADIUS  (whether  vendor-proprietary  or  IETF  draft-compliant),  you 
must  specify  the  host  running  the  RADIUS  server  daemon  and  the  secret  text  string  it  shares  with  the 
switch.  You  specify  the  RADIUS  host  and  secret  text  string  by  using  the  radius-server  global 
configuration  commands. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  specify  a  vendor-proprietary  RADIUS  server 
host  and  a  shared  secret  text  string: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

radius-server  host  {hostname  1  ip-address]  non-standard 

Specify  the  IP  address  or  hostname  of  the  remote 
RADIUS  server  host  and  identify  that  it  is  using  a 
vendor-proprietary  implementation  of  RADIUS. 

radius-server  key  string 

Specify  the  shared  secret  text  string  used  between  the 
switch  and  the  vendor-proprietary  RADIUS  server. 
The  switch  and  the  RADIUS  server  use  this  text 
string  to  encrypt  passwords  and  exchange  responses. 

Note     The  key  is  a  text  string  that  must  match  the 
encryption  key  used  on  the  RADIUS  server. 
Leading  spaces  are  ignored,  but  spaces  within 
and  at  the  end  of  the  key  are  used.  If  you  use 
spaces  in  your  key,  do  not  enclose  the  key  in 
quotation  marks  unless  the  quotation  marks 
are  part  of  the  key. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  settings. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  4 
Step  5 
Step  6 


To  delete  the  vendor-proprietary  RADIUS  host,  use  the  no  radius-server  host  {hostname  I  ip-address] 
non-standard  global  configuration  command.  To  disable  the  key,  use  the  no  radius-server  key  global 
configuration  command. 

This  example  shows  how  to  specify  a  vendor-proprietary  RADIUS  host  and  to  use  a  secret  key  of  radl24 
between  the  switch  and  the  server: 

Switch (config) #  radius-server  host  172.20.30.15  nonstandard 
Switch (config) #  radius-server  key  radl24 


Displaying  the  RADIUS  Configuration 

To  display  the  RADIUS  configuration,  use  the  show  running-config  privileged  EXEC  command. 
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Controlling  Switch  Access  with  Kerberos 

This  section  describes  how  to  enable  and  configure  the  Kerberos  security  system,  which  authenticates 
requests  for  network  resources  by  using  a  trusted  third  party.  To  use  this  feature,  the  cryptographic  (that 
is,  supports  encryption)  versions  of  the  switch  software  must  be  installed  on  your  switch. 

You  must  obtain  authorization  to  use  this  feature  and  to  download  the  cryptographic  software  files  from 
Cisco. com. You  can  download  the  cryptographic  software  image  from  www.hp.com/support.  For  more 
information,  see  the  release  notesCisco  Gigabit  Ethernet  Switch  Module  for  HP  BladeSystem  p-Class 
Release  Notesfor  this  release. 

These  sections  contain  this  information: 

•  Understanding  Kerberos,  page  5-32 

•  Kerberos  Operation,  page  5-34 

•  Configuring  Kerberos,  page  5-35 

For  Kerberos  configuration  examples,  see  the  "Kerberos  Configuration  Examples"  section  in  the 
"Security  Server  Protocols"  chapter  of  the  Cisco  IOS  Security  Configuration  Guide,  Release  12.2,  at  this 
URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/ps  1 835/products_configuration_guide_book09 186a 
0080087dfl.html 

X   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  "Kerberos 
Commands"  section  in  the  "Security  Server  Protocols"  chapter  of  the  Cisco  IOS  Security  Command 
Reference,  Release  12.2,  at  this  URL: 


http://www.cisco.com/en/US/products/sw/iosswrel/psl835/products_command_reference_book09186a 
0080087e33.html 

X   

Note      In  the  Kerberos  configuration  examples  and  in  the  Cisco  IOS  Security  Command  Reference, 

Release  12.2,  the  trusted  third  party  can  be  a  switch  that  supports  Kerberos,  that  is  configured  as  a 
network  security  server,  and  that  can  authenticate  users  by  using  the  Kerberos  protocol. 


Understanding  Kerberos 

Kerberos  is  a  secret-key  network  authentication  protocol,  which  was  developed  at  the  Massachusetts 
Institute  of  Technology  (MIT).  It  uses  the  Data  Encryption  Standard  (DES)  cryptographic  algorithm  for 
encryption  and  authentication  and  authenticates  requests  for  network  resources.  Kerberos  uses  the 
concept  of  a  trusted  third  party  to  perform  secure  verification  of  users  and  services.  This  trusted  third 
party  is  called  the  key  distribution  center  (KDC). 

Kerberos  verifies  that  users  are  who  they  claim  to  be  and  the  network  services  that  they  use  are  what  the 
services  claim  to  be.  To  do  this,  a  KDC  or  trusted  Kerberos  server  issues  tickets  to  users.  These  tickets, 
which  have  a  limited  lifespan,  are  stored  in  user  credential  caches.  The  Kerberos  server  uses  the  tickets 
instead  of  usernames  and  passwords  to  authenticate  users  and  network  services. 

X   

Note      A  Kerberos  server  can  be  a  switch  that  is  configured  as  a  network  security  server  and  that  can 
authenticate  users  by  using  the  Kerberos  protocol. 
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The  Kerberos  credential  scheme  uses  a  process  called  single  logon.  This  process  authenticates  a  user 
once  and  then  allows  secure  authentication  (without  encrypting  another  password)  wherever  that  user 
credential  is  accepted. 

This  software  release  supports  Kerberos  5,  which  allows  organizations  that  are  already  using  Kerberos  5 
to  use  the  same  Kerberos  authentication  database  on  the  KDC  that  they  are  already  using  on  their  other 
network  hosts  (such  as  UNIX  servers  and  PCs). 

In  this  software  release,  Kerberos  supports  these  network  services: 

•  Telnet 

•  rlogin 

•  rsh  (Remote  Shell  Protocol) 

Table  5-2  lists  the  common  Kerberos-related  terms  and  definitions: 


Table  5-2  Kerberos  Terms 


Term 

Definition 

Authentication 

A  process  by  which  a  user  or  service  identifies  itself  to  another  service. 
For  example,  a  client  can  authenticate  to  a  switch  or  a  switch  can 
authenticate  to  another  switch. 

Authorization 

A  means  by  which  the  switch  identifies  what  privileges  the  user  has  in  a 
network  or  on  the  switch  and  what  actions  the  user  can  perform. 

Credential 

A  general  term  that  refers  to  authentication  tickets,  such  as  TGTs1  and 
service  credentials.  Kerberos  credentials  verify  the  identity  of  a  user  or 
service.  If  a  network  service  decides  to  trust  the  Kerberos  server  that 
issued  a  ticket,  it  can  be  used  in  place  of  re-entering  a  username  and 
password.  Credentials  have  a  default  lifespan  of  eight  hours. 

Instance 

A                  .  1            •          .  •             1              1111J?          T  Z        1                             *          *         1         ■»  It         a.    T  Z  1 

An  authorization  level  label  for  Kerberos  principals.  Most  Kerberos 
principals  are  of  the  form  user@REALM  (for  example, 
smith@EXAMPLE.COM).  A  Kerberos  principal  with  a  Kerberos 
instance  has  the  form  user/instance® REALM  (for  example, 
smith/admin@ EXAMPLE.COM).  The  Kerberos  instance  can  be  used  to 
specify  the  authorization  level  for  the  user  if  authentication  is  successful. 
The  server  of  each  network  service  might  implement  and  enforce  the 
authorization  mappings  of  Kerberos  instances  but  is  not  required  to  do  so. 

Note     The  Kerberos  principal  and  instance  names  must  be  in  all 
lowercase  characters. 

Note     The  Kerberos  realm  name  must  be  in  all  uppercase  characters. 

KDC2 

Key  distribution  center  that  consists  of  a  Kerberos  server  and  database 
program  that  is  running  on  a  network  host. 

Kerberized 

A  term  that  describes  applications  and  services  that  have  been  modified 
to  support  the  Kerberos  credential  infrastructure. 

Kerberos  realm 

A  domain  consisting  of  users,  hosts,  and  network  services  that  are 
registered  to  a  Kerberos  server.  The  Kerberos  server  is  trusted  to  verify 
the  identity  of  a  user  or  network  service  to  another  user  or  network 
service. 

Note     The  Kerberos  realm  name  must  be  in  all  uppercase  characters. 
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Table  5-2  Kerberos  Terms  (continued) 


Term 

Definition 

Kerberos  server 

A  daemon  that  is  running  on  a  network  host.  Users  and  network  services 
register  their  identity  with  the  Kerberos  server.  Network  services  query 
the  Kerberos  server  to  authenticate  to  other  network  services. 

KEYTAB3 

A  password  that  a  network  service  shares  with  the  KDC.  In  Kerberos  5 
and  later  Kerberos  versions,  the  network  service  authenticates  an 
encrypted  service  credential  by  using  the  KEYTAB  to  decrypt  it.  In 
Kerberos  versions  earlier  than  Kerberos  5,  KEYTAB  is  referred  to  as 
SRVTAB4. 

Principal 

Also  known  as  a  Kerberos  identity,  this  is  who  you  are  or  what  a  service 
is  according  to  the  Kerberos  server. 

Note     The  Kerberos  principal  name  must  be  in  all  lowercase  characters. 

Service  credential 

A  credential  for  a  network  service.  When  issued  from  the  KDC,  this 
credential  is  encrypted  with  the  password  shared  by  the  network  service 
and  the  KDC.  The  password  is  also  shared  with  the  user  TGT. 

SRVTAB 

A  password  that  a  network  service  shares  with  the  KDC.  In  Kerberos  5 
or  later  Kerberos  versions,  SRVTAB  is  referred  to  as  KEYTAB. 

TGT 

Ticket  granting  ticket  that  is  a  credential  that  the  KDC  issues  to 
authenticated  users.  When  users  receive  a  TGT,  they  can  authenticate  to 
network  services  within  the  Kerberos  realm  represented  by  the  KDC. 

1.  TGT  =  ticket  granting  ticket 

2.  KDC  =  key  distribution  center 

3.  KEYTAB  =  key  table 

4.  SRVTAB  =  server  table 


Kerberos  Operation 

A  Kerberos  server  can  be  a  switch  that  is  configured  as  a  network  security  server  and  that  can 
authenticate  remote  users  by  using  the  Kerberos  protocol.  Although  you  can  customize  Kerberos  in  a 
number  of  ways,  remote  users  attempting  to  access  network  services  must  pass  through  three  layers  of 
security  before  they  can  access  network  services. 

To  authenticate  to  network  services  by  using  a  switch  as  a  Kerberos  server,  remote  users  must  follow 
these  steps: 

1.  Authenticating  to  a  Boundary  Switch,  page  5-34 

2.  Obtaining  a  TGT  from  a  KDC,  page  5-35 

3.  Authenticating  to  Network  Services,  page  5-35 

Authenticating  to  a  Boundary  Switch 

This  section  describes  the  first  layer  of  security  through  which  a  remote  user  must  pass.  The  user  must 
first  authenticate  to  the  boundary  switch.  This  process  then  occurs: 

1.  The  user  opens  an  un-Kerberized  Telnet  connection  to  the  boundary  switch. 

2.  The  switch  prompts  the  user  for  a  username  and  password. 
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3.  The  switch  requests  a  TGT  from  the  KDC  for  this  user. 

4.  The  KDC  sends  an  encrypted  TGT  that  includes  the  user  identity  to  the  switch. 

5.  The  switch  attempts  to  decrypt  the  TGT  by  using  the  password  that  the  user  entered. 

•  If  the  decryption  is  successful,  the  user  is  authenticated  to  the  switch. 

•  If  the  decryption  is  not  successful,  the  user  repeats  Step  2  either  by  re-entering  the  username 
and  password  (noting  if  Caps  Lock  or  Num  Lock  is  on  or  off)  or  by  entering  a  different 
username  and  password. 

A  remote  user  who  initiates  a  un-Kerberized  Telnet  session  and  authenticates  to  a  boundary  switch  is 
inside  the  firewall,  but  the  user  must  still  authenticate  directly  to  the  KDC  before  getting  access  to  the 
network  services.  The  user  must  authenticate  to  the  KDC  because  the  TGT  that  the  KDC  issues  is  stored 
on  the  switch  and  cannot  be  used  for  additional  authentication  until  the  user  logs  on  to  the  switch. 

Obtaining  a  TGT  from  a  KDC 

This  section  describes  the  second  layer  of  security  through  which  a  remote  user  must  pass.  The  user  must 
now  authenticate  to  a  KDC  and  obtain  a  TGT  from  the  KDC  to  access  network  services. 

For  instructions  about  how  to  authenticate  to  a  KDC,  see  the  "Obtaining  a  TGT  from  a  KDC"  section  in 
the  "Security  Server  Protocols"  chapter  of  the  Cisco  IOS  Security  Configuration  Guide,  Release  12.2,  at 
this  URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/ps  1 835/products_configuration_guide_book09 186a 
0080087dfl.html 

Authenticating  to  Network  Services 

This  section  describes  the  third  layer  of  security  through  which  a  remote  user  must  pass.  The  user  with 
a  TGT  must  now  authenticate  to  the  network  services  in  a  Kerberos  realm. 

For  instructions  about  how  to  authenticate  to  a  network  service,  see  the  "Authenticating  to  Network 
Services"  section  in  the  "Security  Server  Protocols"  chapter  of  the  Cisco  IOS  Security  Configuration 
Guide,  Release  12.2,  at  this  URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/ps  1 835/products_configuration_guide_book09 186a 
0080087dfl.html 

Configuring  Kerberos 

So  that  remote  users  can  authenticate  to  network  services,  you  must  configure  the  hosts  and  the  KDC  in 
the  Kerberos  realm  to  communicate  and  mutually  authenticate  users  and  network  services.  To  do  this, 
you  must  identify  them  to  each  other.  You  add  entries  for  the  hosts  to  the  Kerberos  database  on  the  KDC 
and  add  KEYTAB  files  generated  by  the  KDC  to  all  hosts  in  the  Kerberos  realm.  You  also  create  entries 
for  the  users  in  the  KDC  database. 

When  you  add  or  create  entries  for  the  hosts  and  users,  follow  these  guidelines: 

•  The  Kerberos  principal  name  must  be  in  all  lowercase  characters. 

•  The  Kerberos  instance  name  must  be  in  all  lowercase  characters. 

•  The  Kerberos  realm  name  must  be  in  all  uppercase  characters. 
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N   

Note      A  Kerberos  server  can  be  a  switch  that  is  configured  as  a  network  security  server  and  that  can 
authenticate  users  by  using  the  Kerberos  protocol. 

To  set  up  a  Kerberos-authenticated  server-client  system,  follow  these  steps: 

•  Configure  the  KDC  by  using  Kerberos  commands. 

•  Configure  the  switch  to  use  the  Kerberos  protocol. 

For  instructions,  see  the  "Kerberos  Configuration  Task  List"  section  in  the  "Security  Server  Protocols" 
chapter  of  the  Cisco  IOS  Security  Configuration  Guide,  Release  12.2,  at  this  URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/ps  1 835/products_configuration_guide_book09 186a 
0080087dfl.html 


Configuring  the  Switch  for  Local  Authentication  and 
Authorization 

You  can  configure  AAA  to  operate  without  a  server  by  setting  the  switch  to  implement  AAA  in  local 
mode.  The  switch  then  handles  authentication  and  authorization.  No  accounting  is  available  in  this 
configuration. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  for  local  AAA: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

aaa  new-model 

Enable  AAA. 

aaa  authentication  login  default  local 

Set  the  login  authentication  to  use  the  local  username  database.  The 
default  keyword  applies  the  local  user  database  authentication  to  all 
ports. 

aaa  authorization  exec  local 

Configure  user  AAA  authorization,  check  the  local  database,  and  allow 
the  user  to  run  an  EXEC  shell. 

aaa  authorization  network  local 

Configure  user  AAA  authorization  for  all  network-related  service 
requests. 
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Command 

Purpose 

Step  6 

username  name  [privilege  level} 
{password  encryption-type  password} 

Enter  the  local  database,  and  establish  a  username-based  authentication 
system. 

Repeat  this  command  for  each  user. 

•  For  name,  specify  the  user  ID  as  one  word.  Spaces  and  quotation 
marks  are  not  allowed. 

•  (Optional)  For  level,  specify  the  privilege  level  the  user  has  after 
gaining  access.  The  range  is  0  to  15.  Level  15  gives  privileged  EXEC 
mode  access.  Level  0  gives  user  EXEC  mode  access. 

•  For  encryption-type,  enter  0  to  specify  that  an  unencrypted  password 
follows.  Enter  7  to  specify  that  a  hidden  password  follows. 

I     -                                                                                                  7                                                •     /'                .    1                                                                                              1.1                                                                                              A  A 

•  For  password,  specify  the  password  the  user  must  enter  to  gain  access 
to  the  switch.  The  password  must  be  from  1  to  25  characters,  can 
contain  embedded  spaces,  and  must  be  the  last  option  specified  in  the 
username  command. 

Step  7 

end 

Return  to  privileged  EXEC  mode. 

Step  8 

show  running-config 

Verify  your  entries. 

Step  9 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  AAA,  use  the  no  aaa  new-model  global  configuration  command.  To  disable  authorization, 
use  the  no  aaa  authorization  {network  I  exec}  methodl  global  configuration  command. 

X   

Note  To  secure  the  switch  for  HTTP  access  by  using  AAA  methods,  you  must  configure  the  switch  with  the 
ip  http  authentication  aaa  global  configuration  command.  Configuring  AAA  authentication  does  not 
secure  the  switch  for  HTTP  access  by  using  AAA  methods. 

For  more  information  about  the  ip  http  authentication  command,  see  the  Cisco  IOS  Security  Command 
Reference,  Release  12.2. 


Configuring  the  Switch  for  Secure  Shell 

This  section  describes  how  to  configure  the  Secure  Shell  (SSH)  feature.  To  use  this  feature,  you  must 
install  the  cryptographic  (encrypted)  software  image  on  your  switch.  You  can  download  the 
cryptographic  software  files  from  www.hp.com/support.  For  more  information,  see  the  Cisco  Gigabit 
Ethernet  Switch  Module  for  HP  BladeSystem  p-Class  Release  Notes  for  this  release. 

These  sections  contain  this  information: 

•  Understanding  SSH,  page  5-38 

•  Configuring  SSH,  page  5-39 

•  Displaying  the  SSH  Configuration  and  Status,  page  5-41 
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For  SSH  configuration  examples,  see  the  "SSH  Configuration  Examples"  section  in  the  "Configuring 
Secure  Shell"  chapter  of  the  Cisco  IOS  Security  Configuration  Guide,  Cisco  IOS  Release  12.2,  at 
this  URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/ps  1 835/products_configuration_guide_book09 186a 
0080087dfl.html 

X   

Note  For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  Cisco  Gigabit 
Ethernet  Switch  Module  for  HP  BladeSystem  p-Class  Command  Reference  Guide  for  this  release  and  the 
command  reference  for  Cisco  IOS  Release  12.2  at  this  URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/psl839/tsd_products_support_series_home.html 


Understanding  SSH 

SSH  is  a  protocol  that  provides  a  secure,  remote  connection  to  a  device.  SSH  provides  more  security  for 
remote  connections  than  Telnet  does  by  providing  strong  encryption  when  a  device  is  authenticated.  This 
software  release  supports  SSH  Version  1  (SSHvl)  and  SSH  Version  2  (SSHv2). 

This  section  consists  of  these  topics: 

•  SSH  Servers,  Integrated  Clients,  and  Supported  Versions,  page  5-38 

•  Limitations,  page  5-39 

SSH  Servers,  Integrated  Clients,  and  Supported  Versions 

The  SSH  feature  has  an  SSH  server  and  an  SSH  integrated  client,  which  are  applications  that  run  on  the 
switch.  You  can  use  an  SSH  client  to  connect  to  a  switch  running  the  SSH  server.  The  SSH  server  works 
with  the  SSH  client  supported  in  this  release  and  with  non-Cisco  SSH  clients.  The  SSH  client  also  works 
with  the  SSH  server  supported  in  this  release  and  with  non-Cisco  SSH  servers. 

The  switch  supports  an  SSHvl  or  an  SSHv2  server. 

The  switch  supports  an  SSHvl  client. 

SSH  supports  the  Data  Encryption  Standard  (DES)  encryption  algorithm,  the  Triple  DES  (3DES) 
encryption  algorithm,  and  password-based  user  authentication. 

SSH  also  supports  these  user  authentication  methods: 

•  TACACS+  (for  more  information,  see  the  "Controlling  Switch  Access  with  TACACS+"  section  on 
page  5-10) 

•  RADIUS  (for  more  information,  see  the  "Controlling  Switch  Access  with  RADIUS"  section  on 
page  5-17) 

•  Local  authentication  and  authorization  (for  more  information,  see  the  "Configuring  the  Switch  for 
Local  Authentication  and  Authorization"  section  on  page  5-36) 

X   

Note      This  software  release  does  not  support  IP  Security  (IPSec). 
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Limitations 

These  limitations  apply  to  SSH: 

•  The  switch  supports  Rivest,  Shamir,  and  Adelman  (RSA)  authentication. 

•  SSH  supports  only  the  execution-shell  application. 

•  The  SSH  server  and  the  SSH  client  are  supported  only  on  DES  (56-bit)  and  3DES  (168-bit)  data 
encryption  software. 

•  The  switch  does  not  support  the  Advanced  Encryption  Standard  (AES)  symmetric  encryption 
algorithm. 

Configuring  SSH 

This  section  has  this  configuration  information: 

•  Configuration  Guidelines,  page  5-39 

•  Setting  Up  the  Switch  to  Run  SSH,  page  5-39  (required) 

•  Configuring  the  SSH  Server,  page  5-40  (required  only  if  you  are  configuring  the  switch  as  an  SSH 
server) 

Configuration  Guidelines 

Follow  these  guidelines  when  configuring  the  switch  as  an  SSH  server  or  SSH  client: 

•  An  RSA  key  pair  generated  by  a  SSHvl  server  can  be  used  by  an  SSHv2  server,  and  the  reverse. 

•  If  you  get  CLI  error  messages  after  entering  the  crypto  key  generate  rsa  global  configuration 
command,  an  RSA  key  pair  has  not  been  generated.  Reconfigure  the  hostname  and  domain,  and  then 
enter  the  crypto  key  generate  rsa  command.  For  more  information,  see  the  "Setting  Up  the  Switch 
to  Run  SSH"  section  on  page  5-39. 

•  When  generating  the  RSA  key  pair,  the  message  No  host  name  specified  might  appear.  If  it  does, 
you  must  configure  a  hostname  by  using  the  hostname  global  configuration  command. 

•  When  generating  the  RSA  key  pair,  the  message  No  domain  specif  ied  might  appear.  If  it  does,  you 
must  configure  an  IP  domain  name  by  using  the  ip  domain-name  global  configuration  command. 

•  When  configuring  the  local  authentication  and  authorization  authentication  method,  make  sure  that 
AAA  is  disabled  on  the  console. 

Setting  Up  the  Switch  to  Run  SSH 

Follow  these  steps  to  set  up  your  switch  to  run  SSH: 

1.  Download  the  cryptographic  software  image  from  www.hp.com/support.  This  step  is  required.  For 
more  information,  see  the  Cisco  Gigabit  Ethernet  Switch  Module  for  HP  BladeSystem  p-Class 
Release  Notes  for  this  release. 

2.  Configure  a  hostname  and  IP  domain  name  for  the  switch.  Follow  this  procedure  only  if  you  are 
configuring  the  switch  as  an  SSH  server. 
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3.  Generate  an  RSA  key  pair  for  the  switch,  which  automatically  enables  SSH.  Follow  this  procedure 
only  if  you  are  configuring  the  switch  as  an  SSH  server. 

4.  Configure  user  authentication  for  local  or  remote  access.  This  step  is  required.  For  more 
information,  see  the  "Configuring  the  Switch  for  Local  Authentication  and  Authorization"  section 
on  page  5-36. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  hostname  and  an  IP  domain  name 
and  to  generate  an  RSA  key  pair.  This  procedure  is  required  if  you  are  configuring  the  switch  as  an  SSH 
server. 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

Step  2     hostname  hostname 

Configure  a  hostname  for  your  switch. 

Step  3     ip  domain-name  domain _name 

Configure  a  host  domain  for  your  switch. 

Step  4     crypto  key  generate  rsa 

Enable  the  SSH  server  for  local  and  remote  authentication  on  the  switch 
and  generate  an  RSA  key  pair. 

We  recommend  that  a  minimum  modulus  size  of  1024  bits. 

When  you  generate  RSA  keys,  you  are  prompted  to  enter  a  modulus 
length.  A  longer  modulus  length  might  be  more  secure,  but  it  takes  longer 
to  generate  and  to  use. 

Step  5  end 

Return  to  privileged  EXEC  mode. 

Step  6     show  ip  ssh 

or 

show  ssh 

Show  the  version  and  configuration  information  for  your  SSH  server. 
Show  the  status  of  the  SSH  server  on  the  switch. 

Step  7     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  delete  the  RSA  key  pair,  use  the  crypto  key  zeroize  rsa  global  configuration  command.  After  the 
RSA  key  pair  is  deleted,  the  SSH  server  is  automatically  disabled. 

Configuring  the  SSH  Server 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  SSH  server: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  ssh  version  [1  1  2] 

(Optional)  Configure  the  switch  to  run  SSH  Version  1  or  SSH  Version  2. 

•  1 — Configure  the  switch  to  run  SSH  Version  1. 

•  2 — Configure  the  switch  to  run  SSH  Version  2. 

If  you  do  not  enter  this  command  or  do  not  specify  a  keyword,  the  SSH 
server  selects  the  latest  SSH  version  supported  by  the  SSH  client.  For 
example,  if  the  SSH  client  supports  SSHvl  and  SSHv2,  the  SSH  server 
selects  SSHv2. 

Step  1 
Step  2 
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Command 


Purpose 


Step  3     ip  ssh  {timeout  seconds  I 

authentication-retries  number} 


Configure  the  SSH  control  parameters: 

•  Specify  the  time-out  value  in  seconds;  the  default  is  120  seconds.  The 
range  is  0  to  120  seconds.  This  parameter  applies  to  the  SSH 
negotiation  phase.  After  the  connection  is  established,  the  switch  uses 
the  default  time-out  values  of  the  CLI-based  sessions. 

By  default,  up  to  five  simultaneous,  encrypted  SSH  connections  for 
multiple  CLI-based  sessions  over  the  network  are  available  (session 
0  to  session  4).  After  the  execution  shell  starts,  the  CLI-based  session 
time-out  value  returns  to  the  default  of  10  minutes. 

•  Specify  the  number  of  times  that  a  client  can  re-authenticate  to  the 
server.  The  default  is  3;  the  range  is  0  to  5. 

Repeat  this  step  when  configuring  both  parameters. 


Step  4  end 

Step  5     show  ip  ssh 

or 

show  ssh 

Step  6     copy  running-config  startup-config 


Return  to  privileged  EXEC  mode. 

Show  the  version  and  configuration  information  for  your  SSH  server. 

Show  the  status  of  the  SSH  server  connections  on  the  switch. 
(Optional)  Save  your  entries  in  the  configuration  file. 


To  return  to  the  default  SSH  control  parameters,  use  the  no  ip  ssh  {timeout  I  authentication-retries) 
global  configuration  command. 


Displaying  the  SSH  Configuration  and  Status 


To  display  the  SSH  server  configuration  and  status,  use  one  or  more  of  the  privileged  EXEC  commands 
in  Table  5-3: 

Table  5-3  Commands  for  Displaying  the  SSH  Server  Configuration  and  Status 


Command 

Purpose 

show  ip  ssh 

Shows  the  version  and  configuration  information  for  the  SSH  server. 

show  ssh 

Shows  the  status  of  the  SSH  server. 

For  more  information  about  these  commands,  see  the  "Secure  Shell  Commands  "  section  in  the  "Other 
Security  Features"  chapter  of  the  Cisco  IOS  Security  Command  Reference,  Cisco  IOS  Release  12.2,  at 
this  URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/psl835/products_command_reference_book09186a 
0080087e33.html 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


5-41 


H Configuring  the  Switch  for  Secure  Socket  Layer  HTTP 


Chapters     Configuring  Switch-Based  Authentication  | 


Configuring  the  Switch  for  Secure  Socket  Layer  HTTP 

This  section  describes  how  to  configure  Secure  Socket  Layer  (SSL)  version  3.0  support  for  the  HTTP  1 . 1 
server  and  client.  SSL  provides  server  authentication,  encryption,  and  message  integrity,  as  well  as 
HTTP  client  authentication,  to  allow  secure  HTTP  communications. To  use  this  feature,  the 
cryptographic  (encrypted)  software  image  must  be  installed  on  your  switch.  You  can  download  the 
cryptographic  software  image  from  www.hp.com/support.  For  more  information  about  the  crypto  image, 
see  the  Cisco  Gigabit  Ethernet  Switch  Module  for  HP  BladeSystem  p-Class  Release  Notes  for  this 
release. 

These  sections  contain  this  information: 

•  Understanding  Secure  HTTP  Servers  and  Clients,  page  5-42 

•  Configuring  Secure  HTTP  Servers  and  Clients,  page  5-44 

•  Displaying  Secure  HTTP  Server  and  Client  Status,  page  5-48 

For  configuration  examples  and  complete  syntax  and  usage  information  for  the  commands  used  in  this 
section,  see  the  "HTTPS  -  HTTP  Server  and  Client  with  SSL  3.0"  feature  description  for  Cisco  IOS 
Release  12.2(15)T  at  this  URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/psl839/products_feature_guide09186a008015a4c6. 
html 

Understanding  Secure  HTTP  Servers  and  Clients 

On  a  secure  HTTP  connection,  data  to  and  from  an  HTTP  server  is  encrypted  before  being  sent  over  the 
Internet.  HTTP  with  SSL  encryption  provides  a  secure  connection  to  allow  such  functions  as  configuring 
a  switch  from  a  Web  browser.  Cisco's  implementation  of  the  secure  HTTP  server  and  secure  HTTP  client 
uses  an  implementation  of  SSL  Version  3.0  with  application-layer  encryption.  HTTP  over  SSL  is 
abbreviated  as  HTTPS;  the  URL  of  a  secure  connection  begins  with  https://  instead  of  http://. 

The  primary  role  of  the  HTTP  secure  server  (the  switch)  is  to  listen  for  HTTPS  requests  on  a  designated 
port  (the  default  HTTPS  port  is  443)  and  pass  the  request  to  the  HTTP  1.1  Web  server.  The  HTTP  1.1 
server  processes  requests  and  passes  responses  (pages)  back  to  the  HTTP  secure  server,  which,  in  turn, 
responds  to  the  original  request. 

The  primary  role  of  the  HTTP  secure  client  (the  web  browser)  is  to  respond  to  Cisco  IOS  application 
requests  for  HTTPS  User  Agent  services,  perform  HTTPS  User  Agent  services  for  the  application,  and 
pass  the  response  back  to  the  application. 

Certificate  Authority  Trustpoints 

Certificate  authorities  (CAs)  manage  certificate  requests  and  issue  certificates  to  participating  network 
devices.  These  services  provide  centralized  security  key  and  certificate  management  for  the  participating 
devices.  Specific  CA  servers  are  referred  to  as  trustpoints. 

When  a  connection  attempt  is  made,  the  HTTPS  server  provides  a  secure  connection  by  issuing  a 
certified  X.509v3  certificate,  obtained  from  a  specified  CA  trustpoint,  to  the  client.  The  client  (usually 
a  Web  browser),  in  turn,  has  a  public  key  that  allows  it  to  authenticate  the  certificate. 

For  secure  HTTP  connections,  we  highly  recommend  that  you  configure  a  CA  trustpoint.  If  a  CA 
trustpoint  is  not  configured  for  the  device  running  the  HTTPS  server,  the  server  certifies  itself  and 
generates  the  needed  RSA  key  pair.  Because  a  self-certified  (self-signed)  certificate  does  not  provide 
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adequate  security,  the  connecting  client  generates  a  notification  that  the  certificate  is  self-certified,  and 
the  user  has  the  opportunity  to  accept  or  reject  the  connection.  This  option  is  useful  for  internal  network 
topologies  (such  as  testing). 

If  you  do  not  configure  a  CA  trustpoint,  when  you  enable  a  secure  HTTP  connection,  either  a  temporary 
or  a  persistent  self- signed  certificate  for  the  secure  HTTP  server  (or  client)  is  automatically  generated. 

•  If  the  switch  is  not  configured  with  a  hostname  and  a  domain  name,  a  temporary  self-signed 
certificate  is  generated.  If  the  switch  reboots,  any  temporary  self-signed  certificate  is  lost,  and  a  new 
temporary  new  self-signed  certificate  is  assigned. 

•  If  the  switch  has  been  configured  with  a  host  and  domain  name,  a  persistent  self-signed  certificate 
is  generated.  This  certificate  remains  active  if  you  reboot  the  switch  or  if  you  disable  the  secure 
HTTP  server  so  that  it  will  be  there  the  next  time  you  re-enable  a  secure  HTTP  connection. 

If  a  self-signed  certificate  has  been  generated,  this  information  is  included  in  the  output  of  the  show 
running-config  privileged  EXEC  command.  This  is  a  partial  sample  output  from  that  command 
displaying  a  self-signed  certificate. 

Switch#  show  running-config 

Building  configuration. . . 


<output  truncated> 


crypto  pki  trustpoint  TP-self-signed-3080755072 
enrollment  selfsigned 

subject-name  cn=IOS-Self -Signed-Certif icate-3  0  8  07  5  5  07  2 

revocation-check  none 

rsakeypair  TP-self-signed-3  080755072 


crypto  ca  certificate  chain  TP-self-signed-3080755072 
certificate  self-signed  01 

3082029F  30820208  A0030201  02020101  300D0609  2A864886  F70D0101  04050030 

59312F30  2D060355   04031326  494F532D  53656C66  2D536967  6E65642D  43657274 

69666963   6174652D  33303830  37353530  37323126  30240609  2A864886  F70D0109 

02161743   45322D33   3535302D  31332E73  756D6D30  342D3335  3530301E  170D3933 

30333031  30303030  35395A17  0D323030  31303130  30303030  305A3059  312F302D 


<output  truncated> 


You  can  remove  this  self-signed  certificate  by  disabling  the  secure  HTTP  server  and  entering  the  no 
crypto  pki  trustpoint  TP-self-signed-30890755072  global  configuration  command.  If  you  later 
re-enable  a  secure  HTTP  server,  a  new  self-signed  certificate  is  generated. 

V   

Note      The  values  that  follow  TP  self-signed  depend  on  the  serial  number  of  the  device. 


You  can  use  an  optional  command  (ip  http  secure-client-auth)  to  allow  the  HTTPS  server  to  request 
an  X.509v3  certificate  from  the  client.  Authenticating  the  client  provides  more  security  than  server 
authentication  by  itself. 

For  additional  information  on  Certificate  Authorities,  see  the  "Configuring  Certification  Authority 
Interoperability"  chapter  in  the  Cisco  IOS  Security  Configuration  Guide,  Release  12.2. 
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CipherSuites 

A  CipherSuite  specifies  the  encryption  algorithm  and  the  digest  algorithm  to  use  on  a  SSL  connection. 
When  connecting  to  the  HTTPS  server,  the  client  Web  browser  offers  a  list  of  supported  CipherSuites, 
and  the  client  and  server  negotiate  the  best  encryption  algorithm  to  use  from  those  on  the  list  that  are 
supported  by  both.  For  example,  Netscape  Communicator  4.76  supports  U.S.  security  with  RSA  Public 
Key  Cryptography,  MD2,  MD5,  RC2-CBC,  RC4,  DES-CBC,  and  DES-EDE3-CBC. 

For  the  best  possible  encryption,  you  should  use  a  client  browser  that  supports  128-bit  encryption,  such 
as  Microsoft  Internet  Explorer  Version  5.5  (or  later)  or  Netscape  Communicator  Version  4.76  (or  later). 
The  SSL_RS  A_WITH_DES_CBC_SHA  CipherSuite  provides  less  security  than  the  other  CipherSuites, 
as  it  does  not  offer  128-bit  encryption. 

The  more  secure  and  more  complex  CipherSuites  require  slightly  more  processing  time.  This  list  defines 
the  CipherSuites  supported  by  the  switch  and  ranks  them  from  fastest  to  slowest  in  terms  of  router 
processing  load  (speed): 

1.  SSL_RSA_WITH_DES_CBC_SHA— RSA  key  exchange  (RSA  Public  Key  Cryptography)  with 
DES-CBC  for  message  encryption  and  SHA  for  message  digest 

2.  SSL_RSA_WITH_RC4_128_MD5— RSA  key  exchange  with  RC4  128-bit  encryption  and  MD5  for 
message  digest 

3.  SSL_RSA_WITH_RC4_128_SHA— RSA  key  exchange  with  RC4  128-bit  encryption  and  SHA  for 
message  digest 

4.  SSL_RSA_WITH_3DES_EDE_CBC_SHA — RSA  key  exchange  with  3DES  and  DES-EDE3-CBC 
for  message  encryption  and  SHA  for  message  digest 

RSA  (in  conjunction  with  the  specified  encryption  and  digest  algorithm  combinations)  is  used  for  both 
key  generation  and  authentication  on  SSL  connections.  This  usage  is  independent  of  whether  or  not  a 
CA  trustpoint  is  configured. 

Configuring  Secure  HTTP  Servers  and  Clients 

These  sections  contain  this  configuration  information: 

•  Default  SSL  Configuration,  page  5-44 

•  SSL  Configuration  Guidelines,  page  5-45 

•  Configuring  a  CA  Trustpoint,  page  5-45 

•  Configuring  the  Secure  HTTP  Server,  page  5-46 

•  Configuring  the  Secure  HTTP  Client,  page  5-47 

Default  SSL  Configuration 

The  standard  HTTP  server  is  enabled. 
SSL  is  enabled. 

No  CA  trustpoints  are  configured. 

No  self-signed  certificates  are  generated. 
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SSL  Configuration  Guidelines 

When  SSL  is  used  in  a  switch  cluster,  the  SSL  session  terminates  at  the  cluster  commander.  Cluster 
member  switches  must  run  standard  HTTP. 

Before  you  configure  a  CA  trustpoint,  you  should  ensure  that  the  system  clock  is  set.  If  the  clock  is  not 
set,  the  certificate  is  rejected  due  to  an  incorrect  date. 


Configuring  a  CA  Trustpoint 

For  secure  HTTP  connections,  we  recommend  that  you  configure  an  official  CA  trustpoint. 
A  CA  trustpoint  is  more  secure  than  a  self-signed  certificate. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  CA  trustpoint: 


Step  1 
Step  2 

Step  3 

Step  4 

Step  5 

Step  6 
Step  7 

Step  8 

Step  9 

Step  10 

Step  11 

Step  12 

Step  13 
Step  14 
Step  15 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

hostname  hostname 

Specify  the  hostname  of  the  switch  (required  only  if  you  have  not 
previously  configured  a  hostname).  The  hostname  is  required  for  security 
keys  and  certificates. 

ip  domain-name  domain-name 

Specify  the  IP  domain  name  of  the  switch  (required  only  if  you  have  not 
previously  configured  an  IP  domain  name).  The  domain  name  is  required 
for  security  keys  and  certificates. 

crypto  key  generate  rsa 

(Optional)  Generate  an  RSA  key  pair.  RSA  key  pairs  are  required  before 
you  can  obtain  a  certificate  for  the  switch.  RSA  key  pairs  are  generated 
automatically.  You  can  use  this  command  to  regenerate  the  keys,  if 

IlCCUcU. 
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trustpoint  configuration  mode. 

enrollment  url  url 

Specify  the  URL  to  which  the  switch  should  send  certificate  requests. 

enrollment  http-proxy  host-name 
port-number 

(Optional)  Configure  the  switch  to  obtain  certificates  from  the  CA 
through  an  HTTP  proxy  server. 

crl  query  url 

Configure  the  switch  to  request  a  certificate  revocation  list  (CRL)  to 
ensure  that  the  certificate  of  the  peer  has  not  been  revoked. 

primary 

(Optional)  Specify  that  the  trustpoint  should  be  used  as  the  primary 
(default)  trustpoint  for  CA  requests. 

exit 

Exit  CA  trustpoint  configuration  mode  and  return  to  global  configuration 
mode. 

crypto  ca  authentication  name 

Authenticate  the  CA  by  getting  the  public  key  of  the  CA.  Use  the  same 
name  used  in  Step  5. 

crypto  ca  enroll  name 

Obtain  the  certificate  from  the  specified  CA  trustpoint.  This  command 
requests  a  signed  certificate  for  each  RSA  key  pair. 

end 

Return  to  privileged  EXEC  mode. 

show  crypto  ca  trustpoints 

Verify  the  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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Use  the  no  crypto  ca  trustpoint  name  global  configuration  command  to  delete  all  identity  information 
and  certificates  associated  with  the  CA. 


Configuring  the  Secure  HTTP  Server 

If  you  are  using  a  certificate  authority  for  certification,  you  should  use  the  previous  procedure  to 
configure  the  CA  trustpoint  on  the  switch  before  enabling  the  HTTP  server.  If  you  have  not  configured 
a  CA  trustpoint,  a  self-signed  certificate  is  generated  the  first  time  that  you  enable  the  secure  HTTP 
server.  After  you  have  configured  the  server,  you  can  configure  options  (path,  access  list  to  apply, 
maximum  number  of  connections,  or  timeout  policy)  that  apply  to  both  standard  and  secure  HTTP 
servers. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  secure  HTTP  server: 


Step  1 


Step  2 
Step  3 

Step  4 
Step  5 

Step  6 

Step  7 

Step  8 

Step  9 
Step  10 


Command 

Purpose 

show  ip  http  server  status 

(Optional)  Display  the  status  of  the  HTTP  server  to  determine  if  the 
secure  HTTP  server  feature  is  supported  in  the  software.  You  should  see 
one  of  these  lines  in  the  output: 

HTTP  secure  server  capability:  Present 
or 

HTTP  secure  server  capability:  Not  present 

configure  terminal 

Enter  global  configuration  mode. 

ip  http  secure-server 

Enable  the  HTTPS  server  if  it  has  been  disabled.  The  HTTPS  server  is 

P11Q  nl  Am    r\\r  ri£»TQnlt 
CllaUlCLl  Uy  LlCld.lllL. 

ip  http  secure-port  port-number 

(Optional)  Specify  the  port  number  to  be  used  for  the  HTTPS  server.  The 

LlClalllL  pUI  L  llUillUCI  IS  H-HO.   VallLl  UpilUllS  ale  H-HO  Ul  ally  lllllllUCl  111  lllC 

range  1025  to  65535. 

in  httn  cppiirp-pinhprciiitp 
i|j  uiijj  sctui c  tipuci suite 

{ [3des-ede-cbc-sha]  [rc4-128-md5] 
[rc4-128-sha]  [des-ebc-sha] } 
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for  encryption  over  the  HTTPS  connection.  If  you  do  not  have  a  reason  to 
specify  a  particularly  CipherSuite,  you  should  allow  the  server  and  client 
to  negotiate  a  CipherSuite  that  they  both  support.  This  is  the  default. 

ip  http  secure-client-auth 

(Optional)  Configure  the  HTTP  server  to  request  an  X.509v3  certificate 
from  the  client  for  authentication  during  the  connection  process.  The 
default  is  for  the  client  to  request  a  certificate  from  the  server,  but  the 
server  does  not  attempt  to  authenticate  the  client. 

ip  http  secure-trustpoint  name 

Specify  the  CA  trustpoint  to  use  to  get  an  X.509v3  security  certificate  and 
to  authenticate  the  client  certificate  connection. 

Note     Use  of  this  command  assumes  you  have  already  configured  a  CA 
trustpoint  according  to  the  previous  procedure. 

ip  http  path  path-name 

(Optional)  Set  a  base  HTTP  path  for  HTML  files.  The  path  specifies  the 
location  of  the  HTTP  server  files  on  the  local  system  (usually  located  in 
system  flash  memory). 

ip  http  access-class  access-list-number 

(Optional)  Specify  an  access  list  to  use  to  allow  access  to  the  HTTP 
server. 

ip  http  max-connections  value 

(Optional)  Set  the  maximum  number  of  concurrent  connections  that  are 
allowed  to  the  HTTP  server.  The  range  is  1  to  16;  the  default  value  is  5. 
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Step  11 


Command 

Purpose 

ip  http  timeout-policy  idle  seconds  life 
seconds  requests  value 

(Optional)  Specify  how  long  a  connection  to  the  HTTP  server  can  remain 
open  under  the  defined  circumstances: 

•  idle — the  maximum  time  period  when  no  data  is  received  or  response 
data  cannot  be  sent.  The  range  is  1  to  600  seconds.  The  default  is 
180  seconds  (3  minutes). 

•  life — the  maximum  time  period  from  the  time  that  the  connection  is 
established.  The  range  is  1  to  86400  seconds  (24  hours).  The  default 
is  180  seconds. 

•  requests — the  maximum  number  of  requests  processed  on  a 
persistent  connection.  The  maximum  value  is  86400.  The  default  is  1. 

end 

Return  to  privileged  EXEC  mode. 

show  ip  http  server  secure  status 

Display  the  status  of  the  HTTP  secure  server  to  verify  the  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Use  the  no  ip  http  server  global  configuration  command  to  disable  the  standard  HTTP  server.  Use  the 
no  ip  http  secure-server  global  configuration  command  to  disable  the  secure  HTTP  server.  Use  the  no 
ip  http  secure-port  and  the  no  ip  http  secure-ciphersuite  global  configuration  commands  to  return  to 
the  default  settings.  Use  the  no  ip  http  secure-client-auth  global  configuration  command  to  remove  the 
requirement  for  client  authentication. 

To  verify  the  secure  HTTP  connection  by  using  a  Web  browser,  enter  https://URL,  where  the  URL  is  the 
IP  address  or  hostname  of  the  server  switch.  If  you  configure  a  port  other  than  the  default  port,  you  must 
also  specify  the  port  number  after  the  URL.  For  example: 

https://209.165. 129: 1026 

or 

https : //host . domain . com: 102  6 


Configuring  the  Secure  HTTP  Client 

The  standard  HTTP  client  and  secure  HTTP  client  are  always  enabled.  A  certificate  authority  is  required 
for  secure  HTTP  client  certification.  This  procedure  assumes  that  you  have  previously  configured  a  CA 
trustpoint  on  the  switch.  If  a  CA  trustpoint  is  not  configured  and  the  remote  HTTPS  server  requires  client 
authentication,  connections  to  the  secure  HTTP  client  fail. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  secure  HTTP  client: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

ip  http  client  secure-trustpoint  name 

(Optional)  Specify  the  CA  trustpoint  to  be  used  if  the  remote  HTTP  server 
requests  client  authentication.  Using  this  command  assumes  that  you  have 
already  configured  a  CA  trustpoint  by  using  the  previous  procedure.  The 
command  is  optional  if  client  authentication  is  not  needed  or  if  a  primary 
trustpoint  has  been  configured. 
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Command 

Purpose 

Step  3 

ip  http  client  secure-ciphersuite 
{ [3des-ede-cbc-sha]  [rc4-128-md5] 
[rc4-128-sha]  [des-cbc-sha] } 

(Optional)  Specify  the  CipherSuites  (encryption  algorithms)  to  be  used 
for  encryption  over  the  HTTPS  connection.  If  you  do  not  have  a  reason  to 
specify  a  particular  CipherSuite,  you  should  allow  the  server  and  client  to 
negotiate  a  CipherSuite  that  they  both  support.  This  is  the  default. 

Step  4 

end 

Return  to  privileged  EXEC  mode. 

Step  5 

show  ip  http  client  secure  status 

Display  the  status  of  the  HTTP  secure  server  to  verify  the  configuration. 

Step  6 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Use  the  no  ip  http  client  secure-trustpoint  name  to  remove  a  client  trustpoint  configuration.  Use  the 
no  ip  http  client  secure-ciphersuite  to  remove  a  previously  configured  CipherSuite  specification  for 
the  client. 


Displaying  Secure  HTTP  Server  and  Client  Status 

To  display  the  SSL  secure  server  and  client  status,  use  the  privileged  EXEC  commands  in  Table  5-4: 


Table  5-4  Commands  for  Displaying  the  SSL  Secure  Server  and  Client  Status 


Command 

Purpose 

show  ip  http  client 
secure  status 

Shows  the  HTTP  secure  client  configuration. 

show  ip  http  server 
secure  status 

Shows  the  HTTP  secure  server  configuration. 

show  running-config 

Shows  the  generated  self-signed  certificate  for  secure  HTTP  connections. 

Configuring  the  Switch  for  Secure  Copy  Protocol 

The  Secure  Copy  Protocol  (SCP)  feature  provides  a  secure  and  authenticated  method  for  copying  switch 
configurations  or  switch  image  files.  SCP  relies  on  Secure  Shell  (SSH),  an  application  and  a  protocol 
that  provides  a  secure  replacement  for  the  Berkeley  r-tools. 

For  SSH  to  work,  the  switch  needs  an  RSA  public/private  key  pair.  This  is  the  same  with  SCP,  which 
relies  on  SSH  for  its  secure  transport. 

Because  SSH  also  relies  on  AAA  authentication,  and  SCP  relies  further  on  AAA  authorization,  correct 
configuration  is  necessary. 

•  Before  enabling  SCP,  you  must  correctly  configure  SSH,  authentication,  and  authorization  on  the 
switch. 

•  Because  SCP  relies  on  SSH  for  its  secure  transport,  the  router  must  have  an  Rivest,  Shamir,  and 
Adelman  (RSA)  key  pair. 

%   

Note      When  using  SCP,  you  cannot  enter  the  password  into  the  copy  command.  You  must  enter  the  password 
when  prompted. 
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Information  About  Secure  Copy 

To  configure  Secure  Copy  feature,  you  should  understand  these  concepts. 

The  behavior  of  SCP  is  similar  to  that  of  remote  copy  (rep),  which  comes  from  the  Berkeley  r-tools  suite, 
except  that  SCP  relies  on  SSH  for  security.  SCP  also  requires  that  authentication,  authorization,  and 
accounting  (AAA)  authorization  be  configured  so  the  router  can  determine  whether  the  user  has  the 
correct  privilege  level. 

A  user  who  has  appropriate  authorization  can  use  SCP  to  copy  any  file  in  the  Cisco  IOS  File  System 
(IFS)  to  and  from  a  switch  by  using  the  copy  command.  An  authorized  administrator  can  also  do  this 
from  a  workstation. 

For  more  information  on  how  to  configure  and  verify  SCP,  see  the  "Secure  Copy  Protocol"  chapter  of 
the  Cisco  IOS  New  Features,  Cisco  IOS  Release  12.2,  at  this  URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/ps  1 839/products_feature_guide09 1 86a0080087b  1 8 
.html 
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Configuring  IEEE  802.1x  Port-Based 
Authentication 


This  chapter  describes  how  to  configure  IEEE  802.  lx  port-based  authentication  on  the  switch. 

IEEE  802.  lx  authentication  prevents  unauthorized  devices  (clients)  from  gaining  access  to  the  network. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  "RADIUS 

Commands"  section  in  the  Cisco  IOS  Security  Command  Reference,  Release  12.2  and  the  command 

reference  for  this  release. 

This  chapter  consists  of  these  sections: 

•  Understanding  IEEE  802. lx  Port-Based  Authentication,  page  6-1 

•  Configuring  IEEE  802. lx  Authentication,  page  6-19 

•  Displaying  IEEE  802. lx  Statistics  and  Status,  page  6-42 

Understanding  IEEE  802.1x  Port-Based  Authentication 

The  IEEE  802.  lx  standard  defines  a  client-server-based  access  control  and  authentication  protocol  that 
prevents  unauthorized  clients  from  connecting  to  a  LAN  through  publicly  accessible  ports  unless  they 
are  properly  authenticated.  The  authentication  server  authenticates  each  client  connected  to  a  switch  port 
before  making  available  any  services  offered  by  the  switch  or  the  LAN. 

Until  the  client  is  authenticated,  IEEE  802.  lx  access  control  allows  only  Extensible  Authentication 
Protocol  over  LAN  (EAPOL),  Cisco  Discovery  Protocol  (CDP),  and  Spanning  Tree  Protocol  (STP) 
traffic  through  the  port  to  which  the  client  is  connected.  After  authentication  is  successful,  normal  traffic 
can  pass  through  the  port. 

These  sections  describe  IEEE  802.  lx  port-based  authentication: 

•  Device  Roles,  page  6-2 

•  Authentication  Process,  page  6-3 

•  Authentication  Initiation  and  Message  Exchange,  page  6-5 

•  Ports  in  Authorized  and  Unauthorized  States,  page  6-7 

•  IEEE  802.  lx  Host  Mode,  page  6-8 

•  IEEE  802.  lx  Accounting,  page  6-9 
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•  IEEE  802.  lx  Accounting  Attribute-Value  Pairs,  page  6-9 

•  Using  IEEE  802.  lx  Authentication  with  VLAN  Assignment,  page  6-10 

•  Using  IEEE  802.  lx  Authentication  with  Per-User  ACLs,  page  6-1 1 

•  Using  IEEE  802.  lx  Authentication  with  Guest  VLAN,  page  6-12 

•  Using  IEEE  802. lx  Authentication  with  Restricted  VLAN,  page  6-13 

•  Using  IEEE  802.  lx  Authentication  with  Inaccessible  Authentication  Bypass,  page  6-14 

•  Using  IEEE  802. lx  Authentication  with  Voice  VLAN  Ports,  page  6-15 

•  Using  IEEE  802. lx  Authentication  with  Port  Security,  page  6-16 

•  Using  IEEE  802.  lx  Authentication  with  Wake-on-LAN,  page  6-16 

•  Using  IEEE  802. lx  Authentication  with  MAC  Authentication  Bypass,  page  6-17 

•  Using  Web  Authentication,  page  6-18 

Device  Roles 

With  IEEE  802.  lx  port-based  authentication,  the  devices  in  the  network  have  specific  roles  as  shown  in 
Figure  6-1. 


Figure  6- 1          IEEE  802. lx  Device  Roles 


•  Client — the  device  (workstation)  that  requests  access  to  the  LAN  and  switch  services  and  responds 
to  requests  from  the  switch.  The  workstation  must  be  running  IEEE  802.1x-compliant  client 
software  such  as  that  offered  in  the  Microsoft  Windows  XP  operating  system.  (The  client  is  the 
supplicant  in  the  IEEE  802.  lx  standard.) 

X   

Note     To  resolve  Windows  XP  network  connectivity  and  IEEE  802. lx  authentication  issues,  read 
the  Microsoft  Knowledge  Base  article  at  this  URL: 
http://support.microsoft.eom/support/kb/articles/Q303/5/97.ASP 


•    Authentication  server — performs  the  actual  authentication  of  the  client.  The  authentication  server 
validates  the  identity  of  the  client  and  notifies  the  switch  whether  or  not  the  client  is  authorized  to 
access  the  LAN  and  switch  services.  Because  the  switch  acts  as  the  proxy,  the  authentication  service 
is  transparent  to  the  client.  In  this  release,  the  RADIUS  security  system  with  Extensible 
Authentication  Protocol  (EAP)  extensions  is  the  only  supported  authentication  server.  It  is  available 
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in  Cisco  Secure  Access  Control  Server  Version  3.0  or  later.  RADIUS  operates  in  a  client/server 
model  in  which  secure  authentication  information  is  exchanged  between  the  RADIUS  server  and 
one  or  more  RADIUS  clients. 

•  Switch  (edge  switch  or  wireless  access  point) — controls  the  physical  access  to  the  network  based  on 
the  authentication  status  of  the  client.  The  switch  acts  as  an  intermediary  (proxy)  between  the  client 
and  the  authentication  server,  requesting  identity  information  from  the  client,  verifying  that 
information  with  the  authentication  server,  and  relaying  a  response  to  the  client.  The  switch  includes 
the  RADIUS  client,  which  is  responsible  for  encapsulating  and  decapsulating  the  EAP  frames  and 
interacting  with  the  authentication  server.  (The  switch  is  the  authenticator  in  the  IEEE  802.  lx 
standard.) 

When  the  switch  receives  EAPOL  frames  and  relays  them  to  the  authentication  server,  the  Ethernet 
header  is  stripped,  and  the  remaining  EAP  frame  is  re-encapsulated  in  the  RADIUS  format.  The 
EAP  frames  are  not  modified  during  encapsulation,  and  the  authentication  server  must  support  EAP 
within  the  native  frame  format.  When  the  switch  receives  frames  from  the  authentication  server,  the 
server's  frame  header  is  removed,  leaving  the  EAP  frame,  which  is  then  encapsulated  for  Ethernet 
and  sent  to  the  client. 

The  devices  that  can  act  as  intermediaries  include  the  Catalyst  3750,  Catalyst  3560,  Catalyst  3550, 
Catalyst  2970,  Catalyst  2960,  CGESM  switch,,  Catalyst  2955,  Catalyst  2950,  Catalyst  2940 
switches,  or  a  wireless  access  point.  These  devices  must  be  running  software  that  supports  the 
RADIUS  client  and  IEEE  802. lx  authentication. 

Authentication  Process 

When  IEEE  802. lx  port-based  authentication  is  enabled  and  the  client  supports  IEEE  802.1x-compliant 
client  software,  these  events  occur: 

•  If  the  client  identity  is  valid  and  the  IEEE  802.  lx  authentication  succeeds,  the  switch  grants  the 
client  access  to  the  network. 

•  If  IEEE  802.  lx  authentication  times  out  while  waiting  for  an  EAPOL  message  exchange  and  MAC 
authentication  bypass  is  enabled,  the  switch  can  use  the  client  MAC  address  for  authorization.  If  the 
client  MAC  address  is  valid  and  the  authorization  succeeds,  the  switch  grants  the  client  access  to 
the  network.  If  the  client  MAC  address  is  invalid  and  the  authorization  fails,  the  switch  assigns  the 
client  to  a  guest  VLAN  that  provides  limited  services  if  a  guest  VLAN  is  configured. 

•  If  the  switch  gets  an  invalid  identity  from  an  IEEE  802.1x-capable  client  and  a  restricted  VLAN  is 
specified,  the  switch  can  assign  the  client  to  a  restricted  VLAN  that  provides  limited  services. 

•  If  the  RADIUS  authentication  server  is  unavailable  (down)  and  inaccessible  authentication  bypass 
is  enabled,  the  switch  grants  the  client  access  to  the  network  by  putting  the  port  in  the 
critical-authentication  state  in  the  RADIUS-configured  or  the  user-specified  access  VLAN. 

X   

Note      Inaccessible  authentication  bypass  is  also  referred  to  as  critical  authentication  or  the  AAA  fail 
policy. 
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Figure  6-2  shows  the  authentication  process. 


Figure  6-2  Authentication  Flowchart 
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1  =  This  occurs  if  the  switch  does  not  detect  EAPOL  packets  from  the  client. 


The  switch  re-authenticates  a  client  when  one  of  these  situations  occurs: 

•    Periodic  re-authentication  is  enabled,  and  the  re-authentication  timer  expires. 

You  can  configure  the  re-authentication  timer  to  use  a  switch-specific  value  or  to  be  based  on  values 
from  the  RADIUS  server. 

After  IEEE  802.  lx  authentication  using  a  RADIUS  server  is  configured,  the  switch  uses  timers 
based  on  the  Session-Timeout  RADIUS  attribute  (Attribute[27])  and  the  Termination-Action 
RADIUS  attribute  (Attribute  [29]). 

The  Session-Timeout  RADIUS  attribute  (Attribute[27])  specifies  the  time  after  which 
re-authentication  occurs. 
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The  Termination-Action  RADIUS  attribute  (Attribute  [29])  specifies  the  action  to  take  during 
re-authentication.  The  actions  are  Initialize  and  Re  Authenticate.  When  the  Initialize  action  is  set  (the 
attribute  value  is  DEFAULT),  the  IEEE  802.  lx  session  ends,  and  connectivity  is  lost  during 
re-authentication.  When  the  ReAuthenticate  action  is  set  (the  attribute  value  is  RADIUS-Request), 
the  session  is  not  affected  during  re-authentication. 

•    You  manually  re-authenticate  the  client  by  entering  the  dotlx  re-authenticate  interface 

interface-id  privileged  EXEC  command. 

Authentication  Initiation  and  Message  Exchange 

During  IEEE  802.  lx  authentication,  the  switch  or  the  client  can  initiate  authentication.  If  you  enable 
authentication  on  a  port  by  using  the  dotlx  port-control  auto  interface  configuration  command,  the 
switch  initiates  authentication  when  the  link  state  changes  from  down  to  up  or  periodically  as  long  as 
the  port  remains  up  and  unauthenticated.  The  switch  sends  an  EAP-request/identity  frame  to  the  client 
to  request  its  identity.  Upon  receipt  of  the  frame,  the  client  responds  with  an  EAP-response/identity 
frame. 

However,  if  during  bootup,  the  client  does  not  receive  an  EAP-request/identity  frame  from  the  switch, 
the  client  can  initiate  authentication  by  sending  an  EAPOL-start  frame,  which  prompts  the  switch  to 
request  the  client's  identity. 

%   

Note      If  IEEE  802. lx  authentication  is  not  enabled  or  supported  on  the  network  access  device,  any  EAPOL 
frames  from  the  client  are  dropped.  If  the  client  does  not  receive  an  EAP-request/identity  frame  after 
three  attempts  to  start  authentication,  the  client  sends  frames  as  if  the  port  is  in  the  authorized  state.  A 
port  in  the  authorized  state  effectively  means  that  the  client  has  been  successfully  authenticated.  For 
more  information,  see  the  "Ports  in  Authorized  and  Unauthorized  States"  section  on  page  6-7. 


When  the  client  supplies  its  identity,  the  switch  begins  its  role  as  the  intermediary,  passing  EAP  frames 
between  the  client  and  the  authentication  server  until  authentication  succeeds  or  fails.  If  the 
authentication  succeeds,  the  switch  port  becomes  authorized.  If  the  authentication  fails,  authentication 
can  be  retried,  the  port  might  be  assigned  to  a  VLAN  that  provides  limited  services,  or  network  access 
is  not  granted.  For  more  information,  see  the  "Ports  in  Authorized  and  Unauthorized  States"  section  on 
page  6-7. 
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The  specific  exchange  of  EAP  frames  depends  on  the  authentication  method  being  used.  Figure  6-3 
shows  a  message  exchange  initiated  by  the  client  when  the  client  uses  the  One-Time-Password  (OTP) 
authentication  method  with  a  RADIUS  server. 


Figure  6-3 
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If  IEEE  802.  lx  authentication  times  out  while  waiting  for  an  EAPOL  message  exchange  and  MAC 
authentication  bypass  is  enabled,  the  switch  can  authorize  the  client  when  the  switch  detects  an  Ethernet 
packet  from  the  client.  The  switch  uses  the  MAC  address  of  the  client  as  its  identity  and  includes  this 
information  in  the  RADIUS-access/request  frame  that  is  sent  to  the  RADIUS  server.  After  the  server 
sends  the  switch  the  RADIUS-access/accept  frame  (authorization  is  successful),  the  port  becomes 
authorized.  If  authorization  fails  and  a  guest  VLAN  is  specified,  the  switch  assigns  the  port  to  the  guest 
VLAN.  If  the  switch  detects  an  EAPOL  packet  while  waiting  for  an  Ethernet  packet,  the  switch  stops 
the  MAC  authentication  bypass  process  and  stops  IEEE  802. lx  authentication. 

Figure  6-4  shows  the  message  exchange  during  MAC  authentication  bypass. 
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Figure  6-4 
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Ports  in  Authorized  and  Unauthorized  States 

During  IEEE  802. lx  authentication,  depending  on  the  switch  port  state,  the  switch  can  grant  a  client 
access  to  the  network.  The  port  starts  in  the  unauthorized  state.  While  in  this  state,  the  port  that  is  not 
configured  as  a  voice  VLAN  port  disallows  all  ingress  and  egress  traffic  except  for  IEEE  802. lx 
authentication,  CDP,  and  STP  packets.  When  a  client  is  successfully  authenticated,  the  port  changes  to 
the  authorized  state,  allowing  all  traffic  for  the  client  to  flow  normally.  If  the  port  is  configured  as  a 
voice  VLAN  port,  the  port  allows  VoIP  traffic  and  IEEE  802.  lx  protocol  packets  before  the  client  is 
successfully  authenticated. 

If  a  client  that  does  not  support  IEEE  802.  lx  authentication  connects  to  an  unauthorized  IEEE  802.  lx 
port,  the  switch  requests  the  client's  identity.  In  this  situation,  the  client  does  not  respond  to  the  request, 
the  port  remains  in  the  unauthorized  state,  and  the  client  is  not  granted  access  to  the  network. 

In  contrast,  when  an  IEEE  802.1x-enabled  client  connects  to  a  port  that  is  not  running  the  IEEE  802. lx 
standard,  the  client  initiates  the  authentication  process  by  sending  the  EAPOL-start  frame.  When  no 
response  is  received,  the  client  sends  the  request  for  a  fixed  number  of  times.  Because  no  response  is 
received,  the  client  begins  sending  frames  as  if  the  port  is  in  the  authorized  state. 

You  control  the  port  authorization  state  by  using  the  dotlx  port-control  interface  configuration 
command  and  these  keywords: 

•  force-authorized — disables  IEEE  802.  lx  authentication  and  causes  the  port  to  change  to  the 
authorized  state  without  any  authentication  exchange  required.  The  port  sends  and  receives  normal 
traffic  without  IEEE  802.1x-based  authentication  of  the  client.  This  is  the  default  setting. 

•  force-unauthorized — causes  the  port  to  remain  in  the  unauthorized  state,  ignoring  all  attempts  by 
the  client  to  authenticate.  The  switch  cannot  provide  authentication  services  to  the  client  through  the 
port. 

•  auto — enables  IEEE  802. lx  authentication  and  causes  the  port  to  begin  in  the  unauthorized  state, 
allowing  only  EAPOL  frames  to  be  sent  and  received  through  the  port.  The  authentication  process 
begins  when  the  link  state  of  the  port  changes  from  down  to  up  or  when  an  EAPOL-start  frame  is 
received.  The  switch  requests  the  identity  of  the  client  and  begins  relaying  authentication  messages 
between  the  client  and  the  authentication  server.  Each  client  attempting  to  access  the  network  is 
uniquely  identified  by  the  switch  by  using  the  client  MAC  address. 
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If  the  client  is  successfully  authenticated  (receives  an  Accept  frame  from  the  authentication  server),  the 
port  state  changes  to  authorized,  and  all  frames  from  the  authenticated  client  are  allowed  through  the 
port.  If  the  authentication  fails,  the  port  remains  in  the  unauthorized  state,  but  authentication  can  be 
retried.  If  the  authentication  server  cannot  be  reached,  the  switch  can  resend  the  request.  If  no  response 
is  received  from  the  server  after  the  specified  number  of  attempts,  authentication  fails,  and  network 
access  is  not  granted. 

When  a  client  logs  off,  it  sends  an  EAPOL-logoff  message,  causing  the  switch  port  to  change  to  the 
unauthorized  state. 

If  the  link  state  of  a  port  changes  from  up  to  down,  or  if  an  EAPOL-logoff  frame  is  received,  the  port 
returns  to  the  unauthorized  state. 

IEEE  802.1  x  Host  Mode 

You  can  configure  an  IEEE  802.  lx  port  for  single-host  or  for  multiple-hosts  mode.  In  single-host  mode 
(see  Figure  6-1  on  page  6-2),  only  one  client  can  be  connected  to  the  IEEE  802.1x-enabled  switch  port. 
The  switch  detects  the  client  by  sending  an  EAPOL  frame  when  the  port  link  state  changes  to  the  up 
state.  If  a  client  leaves  or  is  replaced  with  another  client,  the  switch  changes  the  port  link  state  to  down, 
and  the  port  returns  to  the  unauthorized  state. 

In  multiple-hosts  mode,  you  can  attach  multiple  hosts  to  a  single  IEEE  802.1x-enabled  port.  Figure  6-5 
on  page  6-8  shows  IEEE  802.  lx  port-based  authentication  in  a  wireless  LAN.  In  this  mode,  only  one  of 
the  attached  clients  must  be  authorized  for  all  clients  to  be  granted  network  access.  If  the  port  becomes 
unauthorized  (re-authentication  fails  or  an  EAPOL-logoff  message  is  received),  the  switch  denies 
network  access  to  all  of  the  attached  clients.  In  this  topology,  the  wireless  access  point  is  responsible  for 
authenticating  the  clients  attached  to  it,  and  it  also  acts  as  a  client  to  the  switch. 

With  the  multiple-hosts  mode  enabled,  you  can  use  IEEE  802.  lx  authentication  to  authenticate  the  port 
and  port  security  to  manage  network  access  for  all  MAC  addresses,  including  that  of  the  client. 


Figure  6-5         Multiple  Host  Mode  Example 
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IEEE  802.1x  Accounting 

The  IEEE  802.  lx  standard  defines  how  users  are  authorized  and  authenticated  for  network  access  but 
does  not  keep  track  of  network  usage.  IEEE  802.  lx  accounting  is  disabled  by  default.  You  can  enable 
IEEE  802.  lx  accounting  to  monitor  this  activity  on  IEEE  802.1x-enabled  ports: 

•  User  successfully  authenticates. 

•  User  logs  off. 

•  Link-down  occurs. 

•  Re-authentication  successfully  occurs. 

•  Re-authentication  fails. 

The  switch  does  not  log  IEEE  802. lx  accounting  information.  Instead,  it  sends  this  information  to  the 
RADIUS  server,  which  must  be  configured  to  log  accounting  messages. 

IEEE  802.1x  Accounting  Attribute-Value  Pairs 

The  information  sent  to  the  RADIUS  server  is  represented  in  the  form  of  Attribute- Value  (AV)  pairs. 
These  AV  pairs  provide  data  for  different  applications.  (For  example,  a  billing  application  might  require 
information  that  is  in  the  Acct-Input-Octets  or  the  Acct-Output-Octets  attributes  of  a  RADIUS  packet.) 

AV  pairs  are  automatically  sent  by  a  switch  that  is  configured  for  IEEE  802.  lx  accounting.  Three  types 
of  RADIUS  accounting  packets  are  sent  by  a  switch: 

•  START-sent  when  a  new  user  session  starts 

•  INTERIM-sent  during  an  existing  session  for  updates 

•  STOP-sent  when  a  session  terminates 

Table  6-1  lists  the  AV  pairs  and  when  they  are  sent  by  the  switch: 

Table  6- 1  Accounting  AV  Pairs 


Attribute  Number 

AV  Pair  Name 

START 

INTERIM 

STOP 

Attribute[l] 

User-Name 

Always 

Always 

Always 

Attribute  [4] 

NAS-IP-Address 

Always 

Always 

Always 

Attribute[5] 

NAS-Port 

Always 

Always 

Always 

Attribute  [8] 

Framed-IP-Address 

Never 

Sometimes1 

Sometimes1 

Attribute[25] 

Class 

Always 

Always 

Always 

Attribute[30] 

Called-Station-ID 

Always 

Always 

Always 

Attribute  [31] 

Calling-Station-ID 

Always 

Always 

Always 

Attribute  [40] 

Acct-Status-Type 

Always 

Always 

Always 

Attribute  [41] 

Acct-Delay-Time 

Always 

Always 

Always 

Attribute  [42] 

Acct-Input-Octets 

Never 

Never 

Always 

Attribute  [43] 

Acct-Output-Octets 

Never 

Never 

Always 

Attribute  [44] 

Acct-Session-ID 

Always 

Always 

Always 

Attribute  [45] 

Acct-Authentic 

Always 

Always 

Always 
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Table  6-1  Accounting  AV  Pairs  (continued) 


Attribute  Number 

AV  Pair  Name 

START 

INTERIM 

STOP 

Attribute  [46] 

Acct-Session-Time 

Never 

Never 

Always 

Attribute[49] 

Acct-Terminate-Cause 

Never 

Never 

Always 

Attribute  [61] 

NAS-Port-Type 

Always 

Always 

Always 

1.    The  Framed-IP-Address  AV  pair  is  sent  only  if  a  valid  Dynamic  Host  Control  Protocol  (DHCP)  binding 
exists  for  the  host  in  the  DHCP  snooping  bindings  table. 


You  can  view  the  AV  pairs  that  are  being  sent  by  the  switch  by  entering  the  debug  radius  accounting 
privileged  EXEC  command.  For  more  information  about  this  command,  see  the  Cisco  IOS  Debug 
Command  Reference,  Release  12.2  at  this  URL: 

http://www.cisco.com/en/US/products/sw/iosswrel/psl835/products_command_reference_book09186a008 
00872ce.html 

For  more  information  about  AV  pairs,  see  RFC  3580,  "IEEE  802.  IX  Remote  Authentication  Dial  In  User 
Service  (RADIUS)  Usage  Guidelines." 

Using  IEEE  802.1x  Authentication  with  VLAN  Assignment 

The  RADIUS  server  sends  the  VLAN  assignment  to  configure  the  switch  port.  The  RADIUS  server 
database  maintains  the  username-to-VLAN  mappings,  assigning  the  VLAN  based  on  the  username  of 
the  client  connected  to  the  switch  port.  You  can  use  this  feature  to  limit  network  access  for  certain  users. 

When  configured  on  the  switch  and  the  RADIUS  server,  IEEE  802.  lx  authentication  with  VLAN 
assignment  has  these  characteristics: 

•  If  no  VLAN  is  supplied  by  the  RADIUS  server  or  if  IEEE  802.  lx  authentication  is  disabled,  the  port 
is  configured  in  its  access  VLAN  after  successful  authentication.  Recall  that  an  access  VLAN  is  a 
VLAN  assigned  to  an  access  port.  All  packets  sent  from  or  received  on  this  port  belong  to  this 
VLAN. 

•  If  IEEE  802.  lx  authentication  is  enabled  but  the  VLAN  information  from  the  RADIUS  server  is  not 
valid,  the  port  returns  to  the  unauthorized  state  and  remains  in  the  configured  access  VLAN.  This 
prevents  ports  from  appearing  unexpectedly  in  an  inappropriate  VLAN  because  of  a  configuration 
error. 

Configuration  errors  could  include  specifying  a  malformed  VLAN  ID,  a  nonexistent  VLAN  ID,  or 
an  attempted  assignment  to  a  voice  VLAN  ID. 

•  If  IEEE  802. lx  authentication  is  enabled  and  all  information  from  the  RADIUS  server  is  valid,  the 
port  is  placed  in  the  specified  VLAN  after  authentication. 

•  If  the  multiple-hosts  mode  is  enabled  on  an  IEEE  802.  lx  port,  all  hosts  are  placed  in  the  same  VLAN 
(specified  by  the  RADIUS  server)  as  the  first  authenticated  host. 

•  If  IEEE  802. lx  authentication  and  port  security  are  enabled  on  a  port,  the  port  is  placed  in  the 
RADIUS  server-assigned  VLAN. 

•  If  IEEE  802.  lx  authentication  is  disabled  on  the  port,  it  is  returned  to  the  configured  access  VLAN. 

When  the  port  is  in  the  force  authorized,  force  unauthorized,  unauthorized,  or  shutdown  state,  it  is  put 
into  the  configured  access  VLAN. 

If  an  IEEE  802.  lx  port  is  authenticated  and  put  in  the  RADIUS  server-assigned  VLAN,  any  change  to 
the  port  access  VLAN  configuration  does  not  take  effect. 
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The  IEEE  802.  lx  authentication  with  VLAN  assignment  feature  is  not  supported  on  trunk  ports,  dynamic 
ports,  or  with  dynamic-access  port  assignment  through  a  VLAN  Membership  Policy  Server  (VMPS). 

To  configure  VLAN  assignment  you  need  to  perform  these  tasks: 

•  Enable  AAA  authorization  by  using  the  network  keyword  to  allow  interface  configuration  from  the 
RADIUS  server. 

•  Enable  IEEE  802.  lx  authentication.  (The  VLAN  assignment  feature  is  automatically  enabled  when 
you  configure  IEEE  802. lx  authentication  on  an  access  port). 

•  Assign  vendor-specific  tunnel  attributes  in  the  RADIUS  server.  The  RADIUS  server  must  return 
these  attributes  to  the  switch: 

-  [64]  Tunnel-Type  =  VLAN 

-  [65]  Tunnel-Medium-Type  =  802 

-  [81]  Tunnel-Private-Group-ID  =  VLAN  name  or  VLAN  ID 

Attribute  [64]  must  contain  the  value  VLAN  (type  13).  Attribute  [65]  must  contain  the  value  802 
(type  6).  Attribute  [81]  specifies  the  VLAN  name  or  VLAN  ID  assigned  to  the 
IEEE  802.1x-authenticated  user. 

For  examples  of  tunnel  attributes,  see  the  "Configuring  the  Switch  to  Use  Vendor-Specific  RADIUS 
Attributes"  section  on  page  5-29. 

Using  IEEE  802.1x  Authentication  with  Per-User  ACLs 

You  can  enable  per-user  access  control  lists  (ACLs)  to  provide  different  levels  of  network  access  and 
service  to  an  IEEE  802.1x-authenticated  user.  When  the  RADIUS  server  authenticates  a  user  connected 
to  an  IEEE  802.  lx  port,  it  retrieves  the  ACL  attributes  based  on  the  user  identity  and  sends  them  to  the 
switch.  The  switch  applies  the  attributes  to  the  IEEE  802.  lx  port  for  the  duration  of  the  user  session.  The 
switch  removes  the  per-user  ACL  configuration  when  the  session  is  over,  if  authentication  fails,  or  if  a 
link-down  condition  occurs.  The  switch  does  not  save  RADIUS-specified  ACLs  in  the  running 
configuration.  When  the  port  is  unauthorized,  the  switch  removes  the  ACL  from  the  port. 

You  can  configure  only  port  ACLS  on  the  switch  port. 

RADIUS  supports  per-user  attributes,  including  vendor-specific  attributes.  These  vendor-specific 
attributes  (VSAs)  are  in  octet-string  format  and  are  passed  to  the  switch  during  the  authentication 
process.  The  VSAs  used  for  per-user  ACLs  are  inaci#<.n>  for  the  ingress  direction  and  outaci#<n>  for 
the  egress  direction.  MAC  ACLs  are  supported  only  in  the  ingress  direction.  The  switch  supports  VSAs 
only  in  the  ingress  direction.  It  does  not  support  port  ACLs  in  the  egress  direction  on  Layer  2  ports.  For 
more  information,  see  Chapter  26,  "Configuring  Network  Security  with  ACLs." 

Use  only  the  extended  ACL  syntax  style  to  define  the  per-user  configuration  stored  on  the  RADIUS 
server.  When  the  definitions  are  passed  from  the  RADIUS  server,  they  are  created  by  using  the  extended 
naming  convention.  However,  if  you  use  the  Filter-Id  attribute,  it  can  point  to  a  standard  ACL. 

You  can  use  the  Filter-Id  attribute  to  specify  an  inbound  or  outbound  ACL  that  is  already  configured  on 
the  switch.  The  attribute  contains  the  ACL  number  followed  by  .in  for  ingress  filtering  or  .out  for  egress 
filtering.  If  the  RADIUS  server  does  not  allow  the  .in  or  .out  syntax,  the  access  list  is  applied  to  the 
outbound  ACL  by  default.  Because  of  limited  support  of  Cisco  IOS  access  lists  on  the  switch,  the 
Filter- Id  attribute  is  supported  only  for  IP  ACLs  numbered  1  to  199  and  1300  to  2699  (IP  standard  and 
IP  extended  ACLs). 

Only  one  IEEE  802.1x-authenticated  user  is  supported  on  a  port.  If  the  multiple-hosts  mode  is  enabled 
on  the  port,  the  per-user  ACL  attribute  is  disabled  for  the  associated  port. 
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The  maximum  size  of  the  per-user  ACL  is  4000  ASCII  characters  but  is  limited  by  the  maximum  size  of 
RADIUS-server  per-user  ACLs. 

For  examples  of  vendor-specific  attributes,  see  the  "Configuring  the  Switch  to  Use  Vendor-Specific 
RADIUS  Attributes"  section  on  page  5-29.  For  more  information  about  configuring  ACLs,  see 
Chapter  26,  "Configuring  Network  Security  with  ACLs." 

To  configure  per-user  ACLs,  you  need  to  perform  these  tasks: 

•  Enable  AAA  authentication. 

•  Enable  AAA  authorization  by  using  the  network  keyword  to  allow  interface  configuration  from  the 
RADIUS  server. 

•  Enable  IEEE  802.  lx  authentication. 

•  Configure  the  user  profile  and  VSAs  on  the  RADIUS  server. 

•  Configure  the  IEEE  802.  lx  port  for  single-host  mode. 

Using  IEEE  802.1x  Authentication  with  Guest  VLAN 

You  can  configure  a  guest  VLAN  for  each  IEEE  802.  lx  port  on  the  switch  to  provide  limited  services 
to  clients,  such  as  downloading  the  IEEE  802. lx  client.  These  clients  might  be  upgrading  their  system 
for  IEEE  802. lx  authentication,  and  some  hosts,  such  as  Windows  98  systems,  might  not  be 
IEEE  802.1x-capable. 

When  you  enable  a  guest  VLAN  on  an  IEEE  802.  lx  port,  the  switch  assigns  clients  to  a  guest  VLAN 
when  the  switch  does  not  receive  a  response  to  its  EAP  request/identity  frame  or  when  EAPOL  packets 
are  not  sent  by  the  client. 

With  Cisco  IOS  Release  12.2(25)SE1  and  later,  the  switch  maintains  the  EAPOL  packet  history.  If  an 
EAPOL  packet  is  detected  on  the  interface  during  the  lifetime  of  the  link,  the  switch  determines  that  the 
device  connected  to  that  interface  is  an  IEEE  802.1x-capable  supplicant,  and  the  interface  does  not 
change  to  the  guest  VLAN  state.  EAPOL  history  is  cleared  if  the  interface  link  status  goes  down.  If  no 
EAPOL  packet  is  detected  on  the  interface,  the  interface  changes  to  the  guest  VLAN  state. 

Before  Cisco  IOS  Release  12.2(25)SE1,  the  switch  did  not  maintain  the  EAPOL  packet  history  and 
allowed  clients  that  failed  authentication  access  to  the  guest  VLAN,  regardless  of  whether  EAPOL 
packets  had  been  detected  on  the  interface.  You  can  enable  this  behavior  by  using  the  dotlx  guest-vlan 
supplicant  global  configuration  command.  However,  in  Cisco  IOS  Release  12.2(25)SEE,  the  dotlx 
guest-vlan  supplicant  global  configuration  command  is  no  longer  supported.  Use  a  restricted  VLAN  to 
allow  clients  that  failed  authentication  access  to  the  network  by  entering  the  dotlx  auth-fail  vlan  vlan-id 
interface  configuration  command. 

In  Cisco  IOS  Release  12.2(25)SEE  and  later,  i  no  longer  allows 

X   

Note      If  an  EAPOL  packet  is  detected  after  the  interface  has  changed  to  the  guest  VLAN,  the  interface  reverts 
to  an  unauthorized  state,  and  IEEE  802.  lx  authentication  restarts. 


Any  number  of  IEEE  802.1x-incapable  clients  are  allowed  access  when  the  switch  port  is  moved  to  the 
guest  VLAN.  If  an  IEEE  802.1x-capable  client  joins  the  same  port  on  which  the  guest  VLAN  is 
configured,  the  port  is  put  into  the  unauthorized  state  in  the  user-configured  access  VLAN,  and 
authentication  is  restarted. 
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Guest  VLANs  are  supported  on  IEEE  802.  lx  ports  in  single-host  or  multiple-hosts  mode. 

You  can  configure  any  active  VLAN  except  an  RSPAN  VLAN  or  a  voice  VLAN  as  an  IEEE  802.  lx 
guest  VLAN.  The  guest  VLAN  feature  is  not  supported  on  trunk  ports;  it  is  supported  only  on  access 
ports. 

The  switch  supports  MAC  authentication  bypass  in  Cisco  IOS  Release  12.2(25)SEE  and  later.  When 
MAC  authentication  bypass  is  enabled  on  an  IEEE  802. lx  port,  the  switch  can  authorize  clients  based 
on  the  client  MAC  address  when  IEEE  802.  lx  authentication  times  out  while  waiting  for  an  EAPOL 
message  exchange.  After  detecting  a  client  on  an  IEEE  802. lx  port,  the  switch  waits  for  an  Ethernet 
packet  from  the  client.  The  switch  sends  the  authentication  server  a  RADIUS-access/request  frame  with 
a  username  and  password  based  on  the  MAC  address.  If  authorization  succeeds,  the  switch  grants  the 
client  access  to  the  network.  If  authorization  fails,  the  switch  assigns  the  port  to  the  guest  VLAN  if  one 
is  specified.  For  more  information,  see  the"Using  IEEE  802.  lx  Authentication  with  MAC 
Authentication  Bypass"  section  on  page  6-17. 

For  more  information,  see  the  "Configuring  a  Guest  VLAN"  section  on  page  6-31. 

Using  IEEE  802.1x  Authentication  with  Restricted  VLAN 

You  can  configure  a  restricted  VLAN  (also  referred  to  as  an  authentication  failed  VLAN)  for  each 
IEEE  802.  lx  port  on  a  switch  to  provide  limited  services  to  clients  that  cannot  access  the  guest  VLAN. 
These  clients  are  IEEE  802.1x-compliant  and  cannot  access  another  VLAN  because  they  fail  the 
authentication  process.  A  restricted  VLAN  allows  users  without  valid  credentials  in  an  authentication 
server  (typically,  visitors  to  an  enterprise)  to  access  a  limited  set  of  services.  The  administrator  can 
control  the  services  available  to  the  restricted  VLAN. 

N   

Note      You  can  configure  a  VLAN  to  be  both  the  guest  VLAN  and  the  restricted  VLAN  if  you  want  to  provide 
the  same  services  to  both  types  of  users. 


Without  this  feature,  the  client  attempts  and  fails  authentication  indefinitely,  and  the  switch  port  remains 
in  the  spanning-tree  blocking  state.  With  this  feature,  you  can  configure  the  switch  port  to  be  in  the 
restricted  VLAN  after  a  specified  number  of  authentication  attempts  (the  default  value  is  3  attempts). 

The  authenticator  counts  the  failed  authentication  attempts  for  the  client.  When  this  count  exceeds  the 
configured  maximum  number  of  authentication  attempts,  the  port  moves  to  the  restricted  VLAN.  The 
failed  attempt  count  increments  when  the  RADIUS  server  replies  with  either  an  EAP  failure  or  an  empty 
response  without  an  EAP  packet.  When  the  port  moves  into  the  restricted  VLAN,  the  failed  attempt 
counter  resets. 

Users  who  fail  authentication  remain  in  the  restricted  VLAN  until  the  next  re-authentication  attempt.  A 
port  in  the  restricted  VLAN  tries  to  re-authenticate  at  configured  intervals  (the  default  is  60  seconds).  If 
re-authentication  fails,  the  port  remains  in  the  restricted  VLAN.  If  re-authentication  is  successful,  the 
port  moves  either  to  the  configured  VLAN  or  to  a  VLAN  sent  by  the  RADIUS  server.  You  can  disable 
re-authentication.  If  you  do  this,  the  only  way  to  restart  the  authentication  process  is  for  the  port  to 
receive  a  link  down  or  EAP  logoff  event.  We  recommend  that  you  keep  re-authentication  enabled  if  a 
client  might  connect  through  a  hub.  When  a  client  disconnects  from  the  hub,  the  port  might  not  receive 
the  link  down  or  EAP  logoff  event. 

After  a  port  moves  to  the  restricted  VLAN,  a  simulated  EAP  success  message  is  sent  to  the  client.  This 
prevents  clients  from  indefinitely  attempting  authentication.  Some  clients  (for  example,  devices  running 
Windows  XP)  cannot  implement  DHCP  without  EAP  success. 
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Restricted  VLANs  are  supported  only  on  IEEE  802.  lx  ports  in  single-host  mode  and  on  Layer  2  ports. 

You  can  configure  any  active  VLAN  except  an  RSPAN  VLAN  or  a  voice  VLAN  as  an  IEEE  802.  lx 
restricted  VLAN.  The  restricted  VLAN  feature  is  not  supported  on  internal  VLANs  (routed  ports)  or 
trunk  ports;  it  is  supported  only  on  access  ports. 

This  feature  works  with  port  security.  As  soon  as  the  port  is  authorized,  a  MAC  address  is  provided  to 
port  security.  If  port  security  does  not  permit  the  MAC  address  or  if  the  maximum  secure  address  count 
is  reached,  the  port  becomes  unauthorized  and  error  disabled. 

Other  port  security  features  such  as  dynamic  ARP  Inspection,  DHCP  snooping,  and  IP  source  guard  can 
be  configured  independently  on  a  restricted  VLAN. 

For  more  information,  see  the  "Configuring  a  Restricted  VLAN"  section  on  page  6-32. 


Using  IEEE  802.1  x  Authentication  with  Inaccessible  Authentication  Bypass 

When  the  switch  cannot  reach  the  configured  RADIUS  servers  and  hosts  cannot  be  authenticated,  you 
can  configure  the  switch  to  allow  network  access  to  the  hosts  connected  to  critical  ports.  A  critical  port 
is  enabled  for  the  inaccessible  authentication  bypass  feature,  also  referred  to  as  critical  authentication 
or  the  AAA  fail  policy. 

When  this  feature  is  enabled,  the  switch  checks  the  status  of  the  configured  RADIUS  servers  whenever 
the  switch  tries  to  authenticate  a  host  connected  to  a  critical  port.  If  a  server  is  available,  the  switch  can 
authenticate  the  host.  However,  if  all  the  RADIUS  servers  are  unavailable,  the  switch  grants  network 
access  to  the  host  and  puts  the  port  in  the  critical-authentication  state,  which  is  a  special  case  of  the 
authentication  state. 

The  behavior  of  the  inaccessible  authentication  bypass  feature  depends  on  the  authorization  state  of  the 
port: 

•  If  the  port  is  unauthorized  when  a  host  connected  to  a  critical  port  tries  to  authenticate  and  all  servers 
are  unavailable,  the  switch  puts  the  port  in  the  critical-authentication  state  in  the 

RADIUS -configured  or  user-specified  access  VLAN. 

•  If  the  port  is  already  authorized  and  re-authentication  occurs,  the  switch  puts  the  critical  port  in  the 
critical-authentication  state  in  the  current  VLAN,  which  might  be  the  one  previously  assigned  by 
the  RADIUS  server. 

•  If  the  RADIUS  server  becomes  unavailable  during  an  authentication  exchange,  the  current 
exchanges  times  out,  and  the  switch  puts  the  critical  port  in  the  critical-authentication  state  during 
the  next  authentication  attempt. 

When  a  RADIUS  server  that  can  authenticate  the  host  is  available,  all  critical  ports  in  the 
critical-authentication  state  are  automatically  re-authenticated. 

Inaccessible  authentication  bypass  interacts  with  these  features: 

•  Guest  VLAN — Inaccessible  authentication  bypass  is  compatible  with  guest  VLAN.  When  a  guest 
VLAN  is  enabled  on  IEEE  8021.x  port,  the  features  interact  as  follows: 

-  If  at  least  one  RADIUS  server  is  available,  the  switch  assigns  a  client  to  a  guest  VLAN  when 
the  switch  does  not  receive  a  response  to  its  EAP  request/identity  frame  or  when  EAPOL 
packets  are  not  sent  by  the  client. 

-  If  all  the  RADIUS  servers  are  not  available  and  the  client  is  connected  to  a  critical  port,  the 
switch  authenticates  the  client  and  puts  the  critical  port  in  the  critical-authentication  state  in  the 
RADIUS -configured  or  user-specified  access  VLAN. 
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-  If  all  the  RADIUS  servers  are  not  available  and  the  client  is  not  connected  to  a  critical  port,  the 
switch  might  not  assign  clients  to  the  guest  VLAN  if  one  is  configured. 

-  If  all  the  RADIUS  servers  are  not  available  and  if  a  client  is  connected  to  a  critical  port  and  was 
previously  assigned  to  a  guest  VLAN,  the  switch  keeps  the  port  in  the  guest  VLAN. 

•  Restricted  VLAN — If  the  port  is  already  authorized  in  a  restricted  VLAN  and  the  RADIUS  servers 
are  unavailable,  the  switch  puts  the  critical  port  in  the  critical-authentication  state  in  the  restricted 
VLAN. 

•  IEEE  802.  lx  accounting — Accounting  is  not  affected  if  the  RADIUS  servers  are  unavailable. 

•  Private  VLAN — You  can  configure  inaccessible  authentication  bypass  on  a  private  VLAN  host  port. 
The  access  VLAN  must  be  a  secondary  private  VLAN. 

•  Voice  VLAN — Inaccessible  authentication  bypass  is  compatible  with  voice  VLAN,  but  the 
RADIUS -configured  or  user-specified  access  VLAN  and  the  voice  VLAN  must  be  different. 

•  Remote  Switched  Port  Analyzer  (RSPAN) — Do  not  configure  an  RSPAN  VLAN  as  the 
RADIUS -configured  or  user-specified  access  VLAN  for  inaccessible  authentication  bypass. 

Using  IEEE  802.1x  Authentication  with  Voice  VLAN  Ports 

A  voice  VLAN  port  is  a  special  access  port  associated  with  two  VLAN  identifiers: 

•  VVID  to  carry  voice  traffic  to  and  from  the  IP  phone.  The  VVID  is  used  to  configure  the  IP  phone 
connected  to  the  port. 

•  PVID  to  carry  the  data  traffic  to  and  from  the  workstation  connected  to  the  switch  through  the  IP 
phone.  The  PVID  is  the  native  VLAN  of  the  port. 

The  IP  phone  uses  the  VVID  for  its  voice  traffic,  regardless  of  the  authorization  state  of  the  port.  This 
allows  the  phone  to  work  independently  of  IEEE  802.  lx  authentication. 

In  single-host  mode,  only  the  IP  phone  is  allowed  on  the  voice  VLAN.  In  multiple-hosts  mode, 
additional  clients  can  send  traffic  on  the  voice  VLAN  after  a  supplicant  is  authenticated  on  the  PVID. 
When  multiple-hosts  mode  is  enabled,  the  supplicant  authentication  affects  both  the  PVID  and  the 
VVID. 

A  voice  VLAN  port  becomes  active  when  there  is  a  link,  and  the  device  MAC  address  appears  after  the 
first  CDP  message  from  the  IP  phone.  Cisco  IP  phones  do  not  relay  CDP  messages  from  other  devices. 
As  a  result,  if  several  IP  phones  are  connected  in  series,  the  switch  recognizes  only  the  one  directly 
connected  to  it.  When  IEEE  802. lx  authentication  is  enabled  on  a  voice  VLAN  port,  the  switch  drops 
packets  from  unrecognized  IP  phones  more  than  one  hop  away. 

When  IEEE  802. lx  authentication  is  enabled  on  a  port,  you  cannot  configure  a  port  VLAN  that  is  equal 
to  a  voice  VLAN. 

X   

Note  If  you  enable  IEEE  802.  lx  authentication  on  an  access  port  on  which  a  voice  VLAN  is  configured  and 
to  which  a  Cisco  IP  Phone  is  connected,  the  Cisco  IP  phone  loses  connectivity  to  the  switch  for  up  to  30 
seconds. 


For  more  information  about  voice  VLANs,  see  Chapter  11,  "Configuring  Voice  VLAN." 
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Using  IEEE  802.1x  Authentication  with  Port  Security 

You  can  configure  an  IEEE  802.  lx  port  with  port  security  in  either  single-host  or  multiple-hosts  mode. 
(You  also  must  configure  port  security  on  the  port  by  using  the  switchport  port-security  interface 
configuration  command.)  When  you  enable  port  security  and  IEEE  802.  lx  authentication  on  a  port, 
IEEE  802.  lx  authentication  authenticates  the  port,  and  port  security  manages  network  access  for  all 
MAC  addresses,  including  that  of  the  client.  You  can  then  limit  the  number  or  group  of  clients  that  can 
access  the  network  through  an  IEEE  802. lx  port. 

These  are  some  examples  of  the  interaction  between  IEEE  802.  lx  authentication  and  port  security  on  the 
switch: 

•  When  a  client  is  authenticated,  and  the  port  security  table  is  not  full,  the  client  MAC  address  is  added 
to  the  port  security  list  of  secure  hosts.  The  port  then  proceeds  to  come  up  normally. 

When  a  client  is  authenticated  and  manually  configured  for  port  security,  it  is  guaranteed  an  entry 
in  the  secure  host  table  (unless  port  security  static  aging  has  been  enabled). 

A  security  violation  occurs  if  the  client  is  authenticated,  but  the  port  security  table  is  full.  This  can 
happen  if  the  maximum  number  of  secure  hosts  has  been  statically  configured  or  if  the  client  ages 
out  of  the  secure  host  table.  If  the  client  address  is  aged,  its  place  in  the  secure  host  table  can  be 
taken  by  another  host. 

If  the  security  violation  is  caused  by  the  first  authenticated  host,  the  port  becomes  error-disabled  and 
immediately  shuts  down. 

The  port  security  violation  modes  determine  the  action  for  security  violations.  For  more 
information,  see  the  "Security  Violations"  section  on  page  18-9. 

•  When  you  manually  remove  an  IEEE  802.  lx  client  address  from  the  port  security  table  by  using  the 
no  switchport  port-security  mac-address  mac-address  interface  configuration  command,  you 
should  re-authenticate  the  IEEE  802.  lx  client  by  using  the  dotlx  re-authenticate  interface 

interface-id  privileged  EXEC  command. 

•  When  an  IEEE  802. lx  client  logs  off,  the  port  changes  to  an  unauthenticated  state,  and  all  dynamic 
entries  in  the  secure  host  table  are  cleared,  including  the  entry  for  the  client.  Normal  authentication 
then  takes  place. 

•  If  the  port  is  administratively  shut  down,  the  port  becomes  unauthenticated,  and  all  dynamic  entries 
are  removed  from  the  secure  host  table. 

•  Port  security  and  a  voice  VLAN  can  be  configured  simultaneously  on  an  IEEE  802.  lx  port  that  is 
in  either  single-host  or  multiple-hosts  mode.  Port  security  applies  to  both  the  voice  VLAN  identifier 
(VVID)  and  the  port  VLAN  identifier  (PVID). 

For  more  information  about  enabling  port  security  on  your  switch,  see  the  "Configuring  Port  Security" 
section  on  page  18-7. 

Using  IEEE  802.1x  Authentication  with  Wake-on-LAN 

The  IEEE  802.  lx  authentication  with  wake-on-LAN  (WoL)  feature  allows  dormant  PCs  to  be  powered 
when  the  switch  receives  a  specific  Ethernet  frame,  known  as  the  magic  packet.  You  can  use  this  feature 
in  environments  where  administrators  need  to  connect  to  systems  that  have  been  powered  down. 

When  a  host  that  uses  WoL  is  attached  through  an  IEEE  802. lx  port  and  the  host  powers  off,  the 
IEEE  802.  lx  port  becomes  unauthorized.  The  port  can  only  receive  and  send  EAPOL  packets,  and  WoL 
magic  packets  cannot  reach  the  host.  When  the  PC  is  powered  off,  it  is  not  authorized,  and  the  switch 
port  is  not  opened. 


6-16 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  6    Configuring  IEEE  802.1  x  Port-Based  Authentication 


Understanding  IEEE  802.1 x  Port-Based  Authentication  I 


When  the  switch  uses  IEEE  802.  lx  authentication  with  WoL,  the  switch  forwards  traffic  to  unauthorized 
IEEE  802.  lx  ports,  including  magic  packets.  While  the  port  is  unauthorized,  the  switch  continues  to 
block  ingress  traffic  other  than  EAPOL  packets.  The  host  can  receive  packets  but  cannot  send  packets 
to  other  devices  in  the  network. 

V   

Note      If  PortFast  is  not  enabled  on  the  port,  the  port  is  forced  to  the  bidirectional  state. 


When  you  configure  a  port  as  unidirectional  by  using  the  dotlx  control-direction  in  interface 
configuration  command,  the  port  changes  to  the  spanning-tree  forwarding  state.  The  port  can  send 
packets  to  the  host  but  cannot  receive  packets  from  the  host. 

When  you  configure  a  port  as  bidirectional  by  using  the  dotlx  control-direction  both  interface 
configuration  command,  the  port  is  access-controlled  in  both  directions.  The  port  does  not  receive 
packets  from  or  send  packets  to  the  host. 

Using  IEEE  802.1x  Authentication  with  MAC  Authentication  Bypass 

You  can  configure  the  switch  to  authorize  clients  based  on  the  client  MAC  address  (see  Figure  6-2  on 
page  6-4)  by  using  the  MAC  authentication  bypass  feature.  For  example,  you  can  enable  this  feature  on 
IEEE  802.  lx  ports  connected  to  devices  such  as  printers. 

If  IEEE  802.  lx  authentication  times  out  while  waiting  for  an  EAPOL  response  from  the  client,  the  switch 
tries  to  authorize  the  client  by  using  MAC  authentication  bypass. 

When  the  MAC  authentication  bypass  feature  is  enabled  on  an  IEEE  802. lx  port,  the  switch  uses  the 
MAC  address  as  the  client  identity.  The  authentication  server  has  a  database  of  client  MAC  addresses 
that  are  allowed  network  access.  After  detecting  a  client  on  an  IEEE  802.  lx  port,  the  switch  waits  for  an 
Ethernet  packet  from  the  client.  The  switch  sends  the  authentication  server  a  RADIUS-access/request 
frame  with  a  username  and  password  based  on  the  MAC  address.  If  authorization  succeeds,  the  switch 
grants  the  client  access  to  the  network.  If  authorization  fails,  the  switch  assigns  the  port  to  the  guest 
VLAN  if  one  is  configured. 

If  an  EAPOL  packet  is  detected  on  the  interface  during  the  lifetime  of  the  link,  the  switch  determines 
that  the  device  connected  to  that  interface  is  an  IEEE  802.1x-capable  supplicant  and  uses  IEEE  802.  lx 
authentication  (not  MAC  authentication  bypass)  to  authorize  the  interface.  EAPOL  history  is  cleared  if 
the  interface  link  status  goes  down. 

If  the  switch  already  authorized  a  port  by  using  MAC  authentication  bypass  and  detects  an  IEEE  802.  lx 
supplicant,  the  switch  does  not  unauthorize  the  client  connected  to  the  port.  When  re-authentication 
occurs,  the  switch  uses  IEEE  802.  lx  authentication  as  the  preferred  re-authentication  process  if  the 
previous  session  ended  because  the  Termination- Action  RADIUS  attribute  value  is  DEFAULT. 

Clients  that  were  authorized  with  MAC  authentication  bypass  can  be  re-authenticated.  The 
re-authentication  process  is  the  same  as  that  for  clients  that  were  authenticated  with  IEEE  802.  lx. 
During  re-authentication,  the  port  remains  in  the  previously  assigned  VLAN.  If  re-authentication  is 
successful,  the  switch  keeps  the  port  in  the  same  VLAN.  If  re-authentication  fails,  the  switch  assigns  the 
port  to  the  guest  VLAN,  if  one  is  configured. 

If  re-authentication  is  based  on  the  Session-Timeout  RADIUS  attribute  (Attribute[27])  and  the 
Termination-Action  RADIUS  attribute  (Attribute  [29])  and  if  the  Termination-Action  RADIUS  attribute 
(Attribute  [29])  action  is  Initialize,  (the  attribute  value  is  DEFAULT),  the  MAC  authentication  bypass 
session  ends,  and  connectivity  is  lost  during  re-authentication.  If  MAC  authentication  bypass  is  enabled 
and  the  IEEE  802.  lx  authentication  times  out,  the  switch  uses  the  MAC  authentication  bypass  feature  to 
initiate  re-authorization.  For  more  information  about  these  AV  pairs,  see  RFC  3580,  "IEEE  802. IX 
Remote  Authentication  Dial  In  User  Service  (RADIUS)  Usage  Guidelines." 
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MAC  authentication  bypass  interacts  with  the  features: 

•  IEEE  802.  lx  authentication — You  can  enable  MAC  authentication  bypass  only  if  IEEE  802. lx 
authentication  is  enabled  on  the  port. 

•  Guest  VLAN — If  a  client  has  an  invalid  MAC  address  identity,  the  switch  assigns  the  client  to  a 
guest  VLAN  if  one  is  configured. 

•  Restricted  VLAN — This  feature  is  not  supported  when  the  client  connected  to  an  IEEE  802. lx  port 
is  authenticated  with  MAC  authentication  bypass. 

•  Port  security — See  the  "Using  IEEE  802. lx  Authentication  with  Port  Security"  section  on 
page  6-16. 

•  Voice  VLAN — See  the  "Using  IEEE  802.  lx  Authentication  with  Voice  VLAN  Ports"  section  on 
page  6-15. 

•  VLAN  Membership  Policy  Server  (VMPS)— IEEE802.1x  and  VMPS  are  mutually  exclusive. 

•  Private  VLAN — You  can  assign  a  client  to  a  private  VLAN. 

•  Network  admission  control  (NAC)  Layer  2  IP  validation — This  feature  takes  effect  after  an 
IEEE  802.  lx  port  is  authenticated  with  MAC  authentication  bypass,  including  hosts  in  the  exception 
list. 


Using  Web  Authentication 


You  can  use  a  web  browser  to  authenticate  a  client  that  does  not  support  IEEE  802.  lx  functionality. 

You  can  configure  a  port  to  use  only  web  authentication.  You  can  also  configure  the  port  to  first  try  and 
use  IEEE  802.  lx  authentication  and  then  to  use  web  authorization  if  the  client  does  not  support 
IEEE  802.  lx  authentication. 

Web  authentication  requires  two  Cisco  Attribute- Value  (AV)  pair  attributes: 

•  The  first  attribute,  priv-ivi=i5,  must  always  be  set  to  75.  This  sets  the  privilege  level  of  the  user 
who  is  logging  into  the  switch. 

•  The  second  attribute  is  an  access  list  to  be  applied  for  web  authenticated  hosts.  The  syntax  is  similar 
to  IEEE  802.  IX  per-user  ACLs.  However,  instead  of  ip:  inacl,  this  attribute  must  begin  with 
proxyaci,  and  the  source  field  in  each  entry  must  be  any.   (After  authentication,  the  client  IP 
address  replaces  the  any  field  when  the  ACL  is  applied.) 

For  example: 

proxyaci*  10=permit  ip  any  10.0.0.0  255.0.0.0 
proxyaci*  20=permit  ip  any  11.1.0.0  255.255.0.0 
proxyaci*  3  0=permit  udp  any  any  eq  syslog 
proxyaci*  40=permit  udp  any  any  eq  tftp 

^   

Note      The  proxyaci  entry  determines  the  type  of  allowed  network  access  . 

For  more  information,  see  the  "Configuring  Web  Authentication"  section  on  page  6-38. 
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Configuring  IEEE  802.1x  Authentication 

These  sections  contain  this  configuration  information: 

•  Default  IEEE  802.  lx  Authentication  Configuration,  page  6-19 

•  IEEE  802.  lx  Authentication  Configuration  Guidelines,  page  6-21 

•  Configuring  IEEE  802.  lx  Authentication,  page  6-23  (required) 

•  Configuring  the  Switch-to-RADIUS-Server  Communication,  page  6-24  (required) 

•  Configuring  the  Host  Mode,  page  6-26  (optional) 

•  Configuring  Periodic  Re-Authentication,  page  6-26  (optional) 

•  Manually  Re-Authenticating  a  Client  Connected  to  a  Port,  page  6-27  (optional) 

•  Changing  the  Quiet  Period,  page  6-27  (optional) 

•  Changing  the  Switch-to-Client  Retransmission  Time,  page  6-28  (optional) 

•  Setting  the  Switch-to-Client  Frame-Retransmission  Number,  page  6-29  (optional) 

•  Setting  the  Re-Authentication  Number,  page  6-29  (optional) 

•  Configuring  IEEE  802.  lx  Accounting,  page  6-30  (optional) 

•  Configuring  a  Guest  VLAN,  page  6-31  (optional) 

•  Configuring  a  Restricted  VLAN,  page  6-32  (optional) 

•  Configuring  the  Inaccessible  Authentication  Bypass  Feature,  page  6-33  (optional) 

•  Configuring  IEEE  802.  lx  Authentication  with  WoL,  page  6-36  (optional) 

•  Configuring  MAC  Authentication  Bypass,  page  6-37  (optional) 

•  "Configuring  IEEE  802.  lx  Authentication  Using  a  RADIUS  Server"  section  on  page  6-38 
(optional) 

•  Disabling  IEEE  802.  lx  Authentication  on  the  Port,  page  6-41  (optional) 

•  Resetting  the  IEEE  802. lx  Authentication  Configuration  to  the  Default  Values,  page  6-42  (optional) 

Default  IEEE  802.1x  Authentication  Configuration 


Table  6-2  shows  the  default  IEEE  802.  lx  authentication  configuration. 
Table  6-2  Default  IEEE  802.  lx  Authentication  Configuration 


Feature 

Default  Setting 

Switch  IEEE  802.  lx  enable  state 

Disabled. 

Per-port  IEEE  802. lx  enable  state 

Disabled  (force-authorized). 

The  port  sends  and  receives  normal  traffic  without  IEEE 
802.1x-based  authentication  of  the  client. 

AAA 

Disabled. 
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Table  6-2  Default  IEEE  802. 1x  Authentication  Configuration  (continued) 


Feature 

Default  Setting 

RADIUS  server 

•    IP  address 

•    None  specified. 

•    UDP  authentication  port 

•  1812. 

•  Key 

•    None  specified. 

Host  mode 

Single-host  mode. 

Control  direction 

Bidirectional  control. 

Periodic  re-authentication 

Disabled. 

Number  of  seconds  between 
re-authentication  attempts 

3600  seconds. 

Re-authentication  number 

2  times  (number  of  times  that  the  switch  restarts  the 
authentication  process  before  the  port  changes  to  the 
unauthorized  state). 

Quiet  period 

60  seconds  (number  of  seconds  that  the  switch  remains  in 
the  quiet  state  following  a  failed  authentication  exchange 
with  the  client). 

Retransmission  time 

30  seconds  (number  of  seconds  that  the  switch  should 
wait  for  a  response  to  an  EAP  request/identity  frame 
from  the  client  before  resending  the  request). 

Maximum  retransmission  number 

2  times  (number  of  times  that  the  switch  will  send  an 
EAP-request/identity  frame  before  restarting  the 
authentication  process). 

Client  timeout  period 

30  seconds  (when  relaying  a  request  from  the 
authentication  server  to  the  client,  the  amount  of  time  the 
switch  waits  for  a  response  before  resending  the  request 
to  the  client.) 

Authentication  server  timeout  period 

30  seconds  (when  relaying  a  response  from  the  client  to 

ILIC  all  1 1 1L  allUll  flCI  VCI,  L11C  alllOUllL  Ul  L1111C  L11C  SW1LCI1 

waits  for  a  reply  before  resending  the  response  to  the 
server.  This  setting  is  not  configurable.) 

Guest  VLAN 

None  specified. 

Inaccessible  authentication  bypass 

Disabled. 

Restricted  VLAN 

None  specified. 

Authenticator  (switch)  mode 

None  specified. 

MAC  authentication  bypass 

Disabled. 
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IEEE  802.1  x  Authentication  Configuration  Guidelines 

These  section  has  configuration  guidelines  for  these  features: 

•  IEEE  802.  lx  Authentication,  page  6-21 

•  VLAN  Assignment,  Guest  VLAN,  Restricted  VLAN,  and  Inaccessible  Authentication  Bypass,  page 
6-22 

•  MAC  Authentication  Bypass,  page  6-22 

IEEE  802.1x  Authentication 

These  are  the  IEEE  802.  lx  authentication  configuration  guidelines: 

•  When  IEEE  802.  lx  authentication  is  enabled,  ports  are  authenticated  before  any  other  Layer  2 
feature  is  enabled. 

•  If  you  try  to  change  the  mode  of  an  IEEE  802.1x-enabled  port  (for  example,  from  access  to  trunk), 
an  error  message  appears,  and  the  port  mode  is  not  changed. 

•  If  the  VLAN  to  which  an  IEEE  802.1x-enabled  port  is  assigned  changes,  this  change  is  transparent 
and  does  not  affect  the  switch.  For  example,  this  change  occurs  if  a  port  is  assigned  to  a  RADIUS 
server-assigned  VLAN  and  is  then  assigned  to  a  different  VLAN  after  re-authentication. 

If  the  VLAN  to  which  an  IEEE  802.  lx  port  is  assigned  to  shut  down,  disabled,  or  removed,  the  port 
becomes  unauthorized.  For  example,  the  port  is  unauthorized  after  the  access  VLAN  to  which  a  port 
is  assigned  shuts  down  or  is  removed. 

•  The  IEEE  802. lx  protocol  is  supported  on  Layer  2  static-access  ports  and  voice  VLAN  ports,  but  it 
is  not  supported  on  these  port  types: 

-  Trunk  port — If  you  try  to  enable  IEEE  802.  lx  authentication  on  a  trunk  port,  an  error  message 
appears,  and  IEEE  802.  lx  authentication  is  not  enabled.  If  you  try  to  change  the  mode  of  an 
IEEE  802.  lx-enabled  port  to  trunk,  an  error  message  appears,  and  the  port  mode  is  not  changed. 

-  Dynamic  ports — A  port  in  dynamic  mode  can  negotiate  with  its  neighbor  to  become  a  trunk 
port.  If  you  try  to  enable  IEEE  802.  lx  authentication  on  a  dynamic  port,  an  error  message 
appears,  and  IEEE  802. lx  authentication  is  not  enabled.  If  you  try  to  change  the  mode  of  an 
IEEE  802.  lx-enabled  port  to  dynamic,  an  error  message  appears,  and  the  port  mode  is  not 
changed. 

-  Dynamic-access  ports — If  you  try  to  enable  IEEE  802.  lx  authentication  on  a  dynamic-access 
(VLAN  Query  Protocol  [VQP])  port,  an  error  message  appears,  and  IEEE  802.  lx  authentication 
is  not  enabled.  If  you  try  to  change  an  IEEE  802.  lx-enabled  port  to  dynamic  VLAN  assignment, 
an  error  message  appears,  and  the  VLAN  configuration  is  not  changed. 

-  EtherChannel  port — Do  not  configure  a  port  that  is  an  active  or  a  not-yet-active  member  of  an 
EtherChannel  as  an  IEEE  802.  lx  port.  If  you  try  to  enable  IEEE  802. lx  authentication  on  an 
EtherChannel  port,  an  error  message  appears,  and  IEEE  802. lx  authentication  is  not  enabled. 

-  Switched  Port  Analyzer  (SPAN)  and  Remote  SPAN  (RSPAN)  destination  ports — You  can 
enable  IEEE  802.  lx  authentication  on  a  port  that  is  a  SPAN  or  RSPAN  destination  port. 
However,  IEEE  802.  lx  authentication  is  disabled  until  the  port  is  removed  as  a  SPAN  or 
RSPAN  destination  port.  You  can  enable  IEEE  802. lx  authentication  on  a  SPAN  or  RSPAN 
source  port. 

•  Before  globally  enabling  IEEE  802. lx  authentication  on  a  switch  by  entering  the  dotlx 
system-auth-control  global  configuration  command,  remove  the  EtherChannel  configuration  from 
the  interfaces  on  which  IEEE  802. lx  authentication  and  EtherChannel  are  configured. 
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VLAN  Assignment  Guest  VLAIM,  Restricted  VLAIM,  and  Inaccessible  Authentication  Bypass 

These  are  the  configuration  guidelines  for  VLAN  assignment,  guest  VLAN,  restricted  VLAN,  and 
inaccessible  authentication  bypass: 

•  When  IEEE  802.  lx  authentication  is  enabled  on  a  port,  you  cannot  configure  a  port  VLAN  that  is 
equal  to  a  voice  VLAN. 

•  The  IEEE  802.  lx  authentication  with  VLAN  assignment  feature  is  not  supported  on  trunk  ports, 
dynamic  ports,  or  with  dynamic-access  port  assignment  through  a  VMPS. 

•  You  can  configure  any  VLAN  except  an  RSPAN  VLAN  or  a  voice  VLAN  as  an  IEEE  802. lx  guest 
VLAN.  The  guest  VLAN  feature  is  not  supported  on  trunk  ports;  it  is  supported  only  on  access  ports. 

•  After  you  configure  a  guest  VLAN  for  an  IEEE  802. lx  port  to  which  a  DHCP  client  is  connected, 
you  might  need  to  get  a  host  IP  address  from  a  DHCP  server.  You  can  change  the  settings  for 
restarting  the  IEEE  802.  lx  authentication  process  on  the  switch  before  the  DHCP  process  on  the 
client  times  out  and  tries  to  get  a  host  IP  address  from  the  DHCP  server.  Decrease  the  settings  for 
the  IEEE  802.  lx  authentication  process  (dotlx  timeout  quiet-period  and  dotlx  timeout  tx-period 
interface  configuration  commands).  The  amount  to  decrease  the  settings  depends  on  the  connected 
IEEE  802.1  x  client  type. 

•  When  configuring  the  inaccessible  authentication  bypass  feature,  follow  these  guidelines: 

-  The  feature  is  supported  on  IEEE  802.  lx  port  in  single-host  mode  and  multihosts  mode. 

-  If  the  client  is  running  Windows  XP  and  the  port  to  which  the  client  is  connected  is  in  the 
critical-authentication  state,  Windows  XP  might  report  that  the  interface  is  not  authenticated. 

-  If  the  Windows  XP  client  is  configured  for  DHCP  and  has  an  IP  address  from  the  DHCP  server, 
receiving  an  EAP-Success  message  on  a  critical  port  might  not  re-initiate  the  DHCP 
configuration  process. 

-  You  can  configure  the  inaccessible  authentication  bypass  feature  and  the  restricted  VLAN  on 
an  IEEE  802.  lx  port.  If  the  switch  tries  to  re-authenticate  a  critical  port  in  a  restricted  VLAN 
and  all  the  RADIUS  servers  are  unavailable,  the  switch  changes  the  port  state  to  the  critical 
authentication  state  and  remains  in  the  restricted  VLAN. 

-  You  can  configure  the  inaccessible  bypass  feature  and  port  security  on  the  same  switch  port. 

•  You  can  configure  any  VLAN  except  an  RSPAN  VLAN  or  a  voice  VLAN  as  an  IEEE  802. lx 
restricted  VLAN.  The  restricted  VLAN  feature  is  not  supported  on  trunk  ports;  it  is  supported  only 
on  access  ports. 

MAC  Authentication  Bypass 

These  are  the  MAC  authentication  bypass  configuration  guidelines: 

•  Unless  otherwise  stated,  the  MAC  authentication  bypass  guidelines  are  the  same  as  the  IEEE  802.  lx 
authentication  guidelines.  For  more  information,  see  the  "IEEE  802. lx  Authentication"  section  on 
page  6-21. 

•  If  you  disable  MAC  authentication  bypass  from  a  port  after  the  port  has  been  authorized  with  its 
MAC  address,  the  port  state  is  not  affected. 

•  If  the  port  is  in  the  unauthorized  state  and  the  client  MAC  address  is  not  the  authentication-server 
database,  the  port  remains  in  the  unauthorized  state.  However,  if  the  client  MAC  address  is  added 
to  the  database,  the  switch  can  use  MAC  authentication  bypass  to  re-authorize  the  port. 

•  If  the  port  is  in  the  authorized  state,  the  port  remains  in  this  state  until  re-authorization  occurs. 
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Upgrading  from  a  Previous  Software  Release 

In  Cisco  IOS  Release  12.2(25)SEE,  the  implementation  for  IEEE  802.  lx  authentication  changed  from 
the  previous  releases.  When  IEEE  802.  lx  authentication  is  enabled,  information  about  Port  Fast  is  no 
longer  added  to  the  configuration  and  this  information  appears  in  the  running  configuration: 

dotlx  pae  authenticator 

Configuring  IEEE  802.1x  Authentication 

To  configure  IEEE  802.  lx  port-based  authentication,  you  must  enable  authentication,  authorization,  and 
accounting  (AAA)  and  specify  the  authentication  method  list.  A  method  list  describes  the  sequence  and 
authentication  method  to  be  queried  to  authenticate  a  user. 

To  allow  per-user  ACLs  or  VLAN  assignment,  you  must  enable  AAA  authorization  to  configure  the 
switch  for  all  network-related  service  requests. 

This  is  the  IEEE  802.  lx  AAA  process: 

Step  1  A  user  connects  to  a  port  on  the  switch. 

Step  2  Authentication  is  performed. 

Step  3  VLAN  assignment  is  enabled,  as  appropriate,  based  on  the  RADIUS  server  configuration. 

Step  4  The  switch  sends  a  start  message  to  an  accounting  server. 

Step  5  Re-authentication  is  performed,  as  necessary. 

Step  6  The  switch  sends  an  interim  accounting  update  to  the  accounting  server  that  is  based  on  the  result  of 
re-authentication. 

Step  7      The  user  disconnects  from  the  port. 

Step  8      The  switch  sends  a  stop  message  to  the  accounting  server. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  IEEE  802.  lx  port-based 
authentication: 


Step  1 
Step  2 
Step  3 


Step  4 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

aaa  new-model 

Enable  AAA. 

aaa  authentication  dotlx  {default} 

Create  an  IEEE  802.  lx  authentication  method  list. 

methodl 

To  create  a  default  list  that  is  used  when  a  named  list  is  not  specified  in 
the  authentication  command,  use  the  default  keyword  followed  by  the 
method  that  is  to  be  used  in  default  situations.  The  default  method  list  is 
automatically  applied  to  all  ports. 

For  methodl,  enter  the  group  radius  keywords  to  use  the  list  of  all 
RADIUS  servers  for  authentication. 

Note     Though  other  keywords  are  visible  in  the  command-line  help 
string,  only  the  group  radius  keywords  are  supported. 

dotlx  system-auth-control 

Enable  IEEE  802. lx  authentication  globally  on  the  switch. 
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Step  5 


Step  6 
Step  7 

Step  8 

Step  9 

Step  10 


Step  11 
Step  12 
Step  13 


Command 

Purpose 

aaa  authorization  network  {default} 
group  radius 

(Optional)  Configure  the  switch  to  use  user-RADIUS  authorization  for  all 
network-related  service  requests,  such  as  per-user  ACLs  or  VLAN 
assignment. 

Note     For  per-user  ACLs,  single-host  mode  must  be  configured.  This 
setting  is  the  default. 

radius-server  host  ip-address 

(Optional)  Specify  the  IP  address  of  the  RADIUS  server. 

radius-server  key  string 

(Optional)  Specify  the  authentication  and  encryption  key  used  between 
the  switch  and  the  RADIUS  daemon  running  on  the  RADIUS  server. 

interface  interface-id 

Specify  the  port  connected  to  the  client  that  is  to  be  enabled  for 
IEEE  802.  lx  authentication,  and  enter  interface  configuration  mode. 

switchport  mode  access 

(Optional)  Set  the  port  to  access  mode  only  if  you  configured  the 
RADIUS  server  in  Step  6  and  Step  7. 

dotlx  port-control  auto 

Enable  IEEE  802. lx  authentication  on  the  port. 

For  feature  interaction  information,  see  the  "IEEE  802.  lx  Authentication 
Configuration  Guidelines"  section  on  page  6-21. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Configuring  the  Switch-to-RADIUS-Server  Communication 

RADIUS  security  servers  are  identified  by  their  hostname  or  IP  address,  hostname  and  specific  UDP  port 
numbers,  or  IP  address  and  specific  UDP  port  numbers.  The  combination  of  the  IP  address  and  UDP  port 
number  creates  a  unique  identifier,  which  enables  RADIUS  requests  to  be  sent  to  multiple  UDP  ports  on 
a  server  at  the  same  IP  address.  If  two  different  host  entries  on  the  same  RADIUS  server  are  configured 
for  the  same  service — for  example,  authentication — the  second  host  entry  configured  acts  as  the 
fail-over  backup  to  the  first  one.  The  RADIUS  host  entries  are  tried  in  the  order  that  they  were 
configured. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  RADIUS  server  parameters  on 
the  switch.  This  procedure  is  required. 


Command 


Purpose 


Step  1 
Step  2 


configure  terminal 


Enter  global  configuration  mode. 


radius-server  host  {hostname  I  Configure  the  RADIUS  server  parameters. 

ip-address]  auth-port  port-number  key    c    ,  ,  .      , ,  -c  tx.  u    *  m  jj 

r  >         r     r  j    por  hostname  I  ip-address,  specify  the  hostname  or  IP  address  of  the 

remote  RADIUS  server. 


string 


Step  3  end 

Step  4     show  running-config 

Step  5     copy  running-config  startup-config 


For  auth-port  port-number,  specify  the  UDP  destination  port  for 
authentication  requests.  The  default  is  1812.  The  range  is  0  to  65536. 

For  key  string,  specify  the  authentication  and  encryption  key  used 
between  the  switch  and  the  RADIUS  daemon  running  on  the  RADIUS 
server.  The  key  is  a  text  string  that  must  match  the  encryption  key  used 
on  the  RADIUS  server. 

Note     Always  configure  the  key  as  the  last  item  in  the  radius-server 

host  command  syntax  because  leading  spaces  are  ignored,  but 
spaces  within  and  at  the  end  of  the  key  are  used.  If  you  use  spaces 
in  the  key,  do  not  enclose  the  key  in  quotation  marks  unless  the 
quotation  marks  are  part  of  the  key.  This  key  must  match  the 
encryption  used  on  the  RADIUS  daemon. 

If  you  want  to  use  multiple  RADIUS  servers,  re-enter  this  command. 
Return  to  privileged  EXEC  mode. 


Verify  your  entries. 

(Optional)  Save  your  entries  in  the  configuration  file. 


To  delete  the  specified  RADIUS  server,  use  the  no  radius-server  host  {hostname  I  ip-address}  global 
configuration  command. 

This  example  shows  how  to  specify  the  server  with  IP  address  172.20.39.46  as  the  RADIUS  server,  to 
use  port  1612  as  the  authorization  port,  and  to  set  the  encryption  key  to  radl23,  matching  the  key  on  the 
RADIUS  server: 

Switch (config) #  radius-server  host  172.120.39.46  auth-port  6403  key  radl23 

You  can  globally  configure  the  timeout,  retransmission,  and  encryption  key  values  for  all  RADIUS 
servers  by  using  the  radius-server  host  global  configuration  command.  If  you  want  to  configure  these 
options  on  a  per-server  basis,  use  the  radius-server  timeout,  radius-server  retransmit,  and  the 
radius-server  key  global  configuration  commands.  For  more  information,  see  the  "Configuring  Settings 
for  All  RADIUS  Servers"  section  on  page  5-29. 

You  also  need  to  configure  some  settings  on  the  RADIUS  server.  These  settings  include  the  IP  address 
of  the  switch  and  the  key  string  to  be  shared  by  both  the  server  and  the  switch.  For  more  information, 
see  the  RADIUS  server  documentation. 
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Configuring  the  Host  Mode 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  allow  multiple  hosts  (clients)  on  an 
IEEE  802.1x-authorized  port  that  has  the  dotlx  port-control  interface  configuration  command  set  to 
auto.  This  procedure  is  optional. 


Step  1 
Step  2 

Step  3 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  which  multiple  hosts  are  indirectly  attached,  and  enter 
interface  configuration  mode. 

dotlx  host-mode  multi-host 

Allow  multiple  hosts  (clients)  on  an  IEEE  802.1x-authorized  port. 

Make  sure  that  the  dotlx  port-control  interface  configuration  command 
set  is  set  to  auto  for  the  specified  interface. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx  interface  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  multiple  hosts  on  the  port,  use  the  no  dotlx  host-mode  multi-host  interface  configuration 
command. 

This  example  shows  how  to  enable  IEEE  802. lx  authentication  and  to  allow  multiple  hosts: 

Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if) #  dotlx  port-control  auto 
Switch (config-if) #  dotlx  host-mode  multi-host 


Configuring  Periodic  Re-Authentication 

You  can  enable  periodic  IEEE  802.  lx  client  re-authentication  and  specify  how  often  it  occurs.  If  you  do 
not  specify  a  time  period  before  enabling  re-authentication,  the  number  of  seconds  between  attempts 
is  3600. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  periodic  re-authentication  of  the  client 
and  to  configure  the  number  of  seconds  between  re-authentication  attempts.  This  procedure  is  optional. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 

Step  3 

dotlx  reauthentication 

Enable  periodic  re-authentication  of  the  client,  which  is  disabled  by 
default. 
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Step  4 


Step  5 
Step  6 
Step  7 


Command 

Purpose 

dotlx  timeout  reauth-period  {seconds  1 

Set  the  number  of  seconds  between  re-authentication  attempts. 

server} 

The  keywords  have  these  meanings: 

•  seconds — Sets  the  number  of  seconds  from  1  to  65535;  the  default  is 
3600  seconds. 

•  server — Sets  the  number  of  seconds  based  on  the  value  of  the 
Session-Timeout  RADIUS  attribute  (Attribute[27])  and  the 
Termination-Action  RADIUS  attribute  (Attribute  [29]). 

This  command  affects  the  behavior  of  the  switch  only  if  periodic 
re-authentication  is  enabled. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx  interface  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  periodic  re-authentication,  use  the  no  dotlx  reauthentication  interface  configuration 
command.  To  return  to  the  default  number  of  seconds  between  re-authentication  attempts,  use  the  no 
dotlx  timeout  reauth-period  interface  configuration  command. 

This  example  shows  how  to  enable  periodic  re-authentication  and  set  the  number  of  seconds  between 
re-authentication  attempts  to  4000: 

Switch ( config-if ) #  dotlx  reauthentication 

Switch ( config-if ) #  dotlx  timeout  reauth-period  4000 


Manually  Re-Authenticating  a  Client  Connected  to  a  Port 

You  can  manually  re-authenticate  the  client  connected  to  a  specific  port  at  any  time  by  entering  the 
dotlx  re-authenticate  interface  interface-id  privileged  EXEC  command.  This  step  is  optional.  If  you 
want  to  enable  or  disable  periodic  re-authentication,  see  the  "Configuring  Periodic  Re-Authentication" 
section  on  page  6-26. 

This  example  shows  how  to  manually  re-authenticate  the  client  connected  to  a  port: 

Switch#  dotlx  re-authenticate  interface  gigabitethernetO/1 


Changing  the  Quiet  Period 

When  the  switch  cannot  authenticate  the  client,  the  switch  remains  idle  for  a  set  period  of  time  and  then 
tries  again.  The  dotlx  timeout  quiet-period  interface  configuration  command  controls  the  idle  period. 
A  failed  authentication  of  the  client  might  occur  because  the  client  provided  an  invalid  password.  You 
can  provide  a  faster  response  time  to  the  user  by  entering  a  number  smaller  than  the  default. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  change  the  quiet  period.  This  procedure  is 
optional. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 
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Step  4 
Step  5 
Step  6 


Command 

Purpose 

dotlx  timeout  quiet-period  seconds 

Set  the  number  of  seconds  that  the  switch  remains  in  the  quiet  state 
following  a  failed  authentication  exchange  with  the  client. 

The  range  is  1  to  65535  seconds;  the  default  is  60. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx  interface  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  quiet  time,  use  the  no  dotlx  timeout  quiet-period  interface  configuration 
command. 

This  example  shows  how  to  set  the  quiet  time  on  the  switch  to  30  seconds: 

Switch (config-if) #  dotlx  timeout  quiet-period  30 


Changing  the  Switch-to-Client  Retransmission  Time 

The  client  responds  to  the  EAP-request/identity  frame  from  the  switch  with  an  EAP-response/identity 
frame.  If  the  switch  does  not  receive  this  response,  it  waits  a  set  period  of  time  (known  as  the 
retransmission  time)  and  then  resends  the  frame. 

X   

Note      You  should  change  the  default  value  of  this  command  only  to  adjust  for  unusual  circumstances  such  as 
unreliable  links  or  specific  behavioral  problems  with  certain  clients  and  authentication  servers. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  change  the  amount  of  time  that  the  switch 
waits  for  client  notification.  This  procedure  is  optional. 


Step  1 
Step  2 
Step  3 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 

dotlx  timeout  tx-period  seconds 

Set  the  number  of  seconds  that  the  switch  waits  for  a  response  to  an 
EAP-request/identity  frame  from  the  client  before  resending  the  request. 

The  range  is  5  to  65535  seconds;  the  default  is  5. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlxinterface  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  retransmission  time,  use  the  no  dotlx  timeout  tx-period  interface  configuration 
command. 

This  example  shows  how  to  set  60  as  the  number  of  seconds  that  the  switch  waits  for  a  response  to  an 
EAP-request/identity  frame  from  the  client  before  resending  the  request: 

Switch (config-if ) #  dotlx  timeout  tx-period  60 
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Setting  the  Switch-to-Client  Frame-Retransmission  Number 

In  addition  to  changing  the  switch-to-client  retransmission  time,  you  can  change  the  number  of  times 
that  the  switch  sends  an  EAP-request/identity  frame  (assuming  no  response  is  received)  to  the  client 
before  restarting  the  authentication  process. 


Note      You  should  change  the  default  value  of  this  command  only  to  adjust  for  unusual  circumstances  such  as 
unreliable  links  or  specific  behavioral  problems  with  certain  clients  and  authentication  servers. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  set  the  switch-to-client  frame-retransmission 
number.  This  procedure  is  optional. 


Step  1 
Step  2 
Step  3 

Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 

dotlx  max-reauth-req  count 

Set  the  number  of  times  that  the  switch  sends  an  EAP-request/identity 
frame  to  the  client  before  restarting  the  authentication  process.  The  range 
is  1  to  10;  the  default  is  2. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx  interface  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  retransmission  number,  use  the  no  dotlx  max-req  interface  configuration 
command. 

This  example  shows  how  to  set  5  as  the  number  of  times  that  the  switch  sends  an  EAP-request/identity 
request  before  restarting  the  authentication  process: 

Switch (config-if) #  dotlx  max-req  5 


Setting  the  Re-Authentication  Number 

You  can  also  change  the  number  of  times  that  the  switch  restarts  the  authentication  process  before  the 
port  changes  to  the  unauthorized  state. 


Note      You  should  change  the  default  value  of  this  command  only  to  adjust  for  unusual  circumstances  such  as 
unreliable  links  or  specific  behavioral  problems  with  certain  clients  and  authentication  servers. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  set  the  re-authentication  number.  This 
procedure  is  optional. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 
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Command 

Purpose 

Step  3 

dotlx  max-reauth-req  count 

Set  the  number  of  times  that  the  switch  restarts  the  authentication  process 
before  the  port  changes  to  the  unauthorized  state.  The  range  is  0  to  10;  the 
default  is  2. 

Step  4 

end 

Return  to  privileged  EXEC  mode. 

Step  5 

show  dotlx  interface  interface-id 

Verify  your  entries. 

Step  6 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  re-authentication  number,  use  the  no  dotlx  max-reauth-req  interface 
configuration  command. 

This  example  shows  how  to  set  4  as  the  number  of  times  that  the  switch  restarts  the  authentication 
process  before  the  port  changes  to  the  unauthorized  state: 

Switch (config-if) #  dotlx  max-reauth-req  4 


Configuring  IEEE  802.1x  Accounting 


Enabling  AAA  system  accounting  with  IEEE  802.  lx  accounting  allows  system  reload  events  to  be  sent 
to  the  accounting  RADIUS  server  for  logging.  The  server  can  then  infer  that  all  active  IEEE  802. lx 
sessions  are  closed. 

Because  RADIUS  uses  the  unreliable  UDP  transport  protocol,  accounting  messages  might  be  lost  due  to 
poor  network  conditions.  If  the  switch  does  not  receive  the  accounting  response  message  from  the 
RADIUS  server  after  a  configurable  number  of  retransmissions  of  an  accounting  request,  this  system 
message  appears: 

Accounting  message  %s  for  session  %s  failed  to  receive  Accounting  Response. 

When  the  stop  message  is  not  sent  successfully,  this  message  appears: 

00:09:55:   %RADIUS-4-RADIUS_DEAD :   RADIUS  server  172.20.246.201:1645,1646  is  not  responding. 



Note      You  must  configure  the  RADIUS  server  to  perform  accounting  tasks,  such  as  logging  start,  stop,  and 
interim-update  messages  and  time  stamps.  To  turn  on  these  functions,  enable  logging  of 
"Update/Watchdog  packets  from  this  AAA  client"  in  your  RADIUS  server  Network  Configuration  tab. 
Next,  enable  "CVS  RADIUS  Accounting"  in  your  RADIUS  server  System  Configuration  tab. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  IEEE  802.  lx  accounting  after  AAA 
is  enabled  on  your  switch.  This  procedure  is  optional. 


Step  1 
Step  2 
Step  3 

Step  4 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 

aaa  accounting  dotlx  default 
start-stop  group  radius 

Enable  IEEE  802.  lx  accounting  using  the  list  of  all  RADIUS  servers. 

aaa  accounting  system  default 
start-stop  group  radius 

(Optional)  Enables  system  accounting  (using  the  list  of  all  RADIUS 
servers)  and  generates  system  accounting  reload  event  messages  when  the 
switch  reloads. 
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Command 

Purpose 

Step  5 

end 

Return  to  privileged  EXEc  mode. 

Step  6 

show  running-config 

Verify  your  entries. 

Step  7 

copy  running-config  startup-config 

(Optional)  Saves  your  entries  in  the  configuration  file. 

Use  the  show  radius  statistics  privileged  EXEC  command  to  display  the  number  of  RADIUS  messages 
that  do  not  receive  the  accounting  response  message. 

This  example  shows  how  to  configure  IEEE  802.  lx  accounting.  The  first  command  configures  the 
RADIUS  server,  specifying  1813  as  the  UDP  port  for  accounting: 

Switch(conf ig) #  radius-server  host  172.120.39.46  auth-port  1812  acct-port  1813  key  radl23 
Switch (config) #  aaa  accounting  dotlx  default  start-stop  group  radius 
Switch (config) #  aaa  accounting  system  default  start-stop  group  radius 

Configuring  a  Guest  VLAN 

When  you  configure  a  guest  VLAN,  clients  that  are  not  IEEE  802.1x-capable  are  put  into  the  guest 
VLAN  when  the  server  does  not  receive  a  response  to  its  EAP  request/identity  frame.  Clients  that  are 
IEEE  802.1x-capable  but  that  fail  authentication  are  not  granted  network  access.  The  switch  supports 
guest  VLANs  in  single-host  or  multiple-hosts  mode. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  guest  VLAN.  This  procedure  is 
optional. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 
For  the  supported  port  types,  see  the  "IEEE  802. lx  Authentication 
Configuration  Guidelines"  section  on  page  6-21. 

Step  3 

switchport  mode  access 

or 

switchport  mode  private-vlan  host 

Set  the  port  to  access  mode, 
or 

Configure  the  port  as  a  private-VLAN  host  port. 

Step  4 

dotlx  port-control  auto 

Enable  IEEE  802.  lx  authentication  on  the  port. 

Step  5 

dotlx  guest-vlan  vlan-id 

Specify  an  active  VLAN  as  an  IEEE  802.  lx  guest  VLAN.  The  range  is  1 
to  4094. 

You  can  configure  any  active  VLAN  except  an  RSPAN  VLAN  or  a  voice 
VLAN  as  an  IEEE  802.  lx  guest  VLAN. 

Step  6 

end 

Return  to  privileged  EXEC  mode. 

Step  7 

show  dotlx  interface  interface-id 

Verify  your  entries. 

Step  8 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  and  remove  the  guest  VLAN,  use  the  no  dotlx  guest-vlan  interface  configuration  command. 
The  port  returns  to  the  unauthorized  state. 

This  example  shows  how  to  enable  VLAN  2  as  an  IEEE  802. lx  guest  VLAN: 

Switch (config) #  interface  gigabitethernetO/2 
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Switch ( config-if ) #  dotlx  guest-vlan  2 

This  example  shows  how  to  set  3  as  the  quiet  time  on  the  switch,  to  set  15  as  the  number  of  seconds  that 
the  switch  waits  for  a  response  to  an  EAP-request/identity  frame  from  the  client  before  re-sending  the 
request,  and  to  enable  VLAN  2  as  an  IEEE  802.  lx  guest  VLAN  when  an  IEEE  802.  lx  port  is  connected 
to  a  DHCP  client: 

Switch (config-if ) #  dotlx  timeout  quiet-period  3 
Switch ( config-if ) #  dotlx  timeout  tx-period  15 
Switch (config-if ) #  dotlx  guest-vlan  2 

Configuring  a  Restricted  VLAN 

When  you  configure  a  restricted  VLAN  on  a  switch,  clients  that  are  IEEE  802.1x-compliant  are  moved 
into  the  restricted  VLAN  when  the  authentication  server  does  not  receive  a  valid  username  and 
password.  The  switch  supports  restricted  VLANs  only  in  single-host  mode. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  restricted  VLAN.  This  procedure 
is  optional. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 
For  the  supported  port  types,  see  the  "IEEE  802. lx  Authentication 
Configuration  Guidelines"  section  on  page  6-21. 

Step  3 

switchport  mode  access 

or 

switchport  mode  private-vlan  host 

Set  the  port  to  access  mode, 
or 

Configure  the  port  as  a  private-VLAN  host  port. 

Step  4 

dotlx  port-control  auto 

Enable  IEEE  802.  lx  authentication  on  the  port. 

Step  5 

dotlx  auth-fail  vlan  vlan-id 

Specify  an  active  VLAN  as  an  IEEE  802. lx  restricted  VLAN.  The  range 
is  1  to  4094. 

You  can  configure  any  active  VLAN  except  an  RSPAN  VLAN  or  a  voice 
VLAN  as  an  IEEE  802.  lx  restricted  VLAN. 

Step  6 

end 

Return  to  privileged  EXEC  mode. 

Step  7 

show  dotlx  interface  interface-id 

(Optional)  Verify  your  entries. 

Step  8 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  and  remove  the  restricted  VLAN,  use  the  no  dotlx  auth-fail  vlan  interface  configuration 
command.  The  port  returns  to  the  unauthorized  state. 

This  example  shows  how  to  enable  VLAN  2  as  an  IEEE  802.  lx  restricted  VLAN: 

Switch (config) #  interface  gigabitethernetO/2 
Switch (config-if ) #  dotlx  auth-fail  vlan  2 

You  can  configure  the  maximum  number  of  authentication  attempts  allowed  before  a  user  is  assigned  to 
the  restricted  VLAN  by  using  the  dotlx  auth-fail  max-attempts  interface  configuration  command.  The 
range  of  allowable  authentication  attempts  is  1  to  3.  The  default  is  3  attempts. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  maximum  number  of  allowed 
authentication  attempts.  This  procedure  is  optional. 


Step  1 
Step  2 

Step  3 


Step  4 
Step  5 


Step  6 

Step  7 
Step  8 
Step  9 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 
For  the  supported  port  types,  see  the  "IEEE  802.  lx  Authentication 
Configuration  Guidelines"  section  on  page  6-21. 

switchport  mode  access 

or 

switchport  mode  private-vlan  host 

Set  the  port  to  access  mode, 
or 

Configure  the  port  as  a  private-VLAN  host  port. 

dotlx  port-control  auto 

Enable  IEEE  802.  lx  authentication  on  the  port. 

dotlx  auth-fail  vlan  vlan-id 

Specify  an  active  VLAN  as  an  IEEE  802. lx  restricted  VLAN.  The  range 
is  1  to  4094. 

You  can  configure  any  active  VLAN  except  an  RSPAN  VLAN  or  a  voice 
VLAN  as  an  IEEE  802.  lx  restricted  VLAN. 

dotlx  auth-fail  max-attempts  max 

attempts 

Specify  a  number  of  authentication  attempts  to  allow  before  a  port  moves 
to  the  restricted  VLAN.  The  range  is  1  to  3,  and  the  default  is  3. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx  interface  interface-id 

(Optional)  Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  value,  use  the  no  dotlx  auth-fail  max-attempts  interface  configuration 
command. 

This  example  shows  how  to  set  2  as  the  number  of  authentication  attempts  allowed  before  the  port  moves 
to  the  restricted  VLAN: 

Switch ( config-if ) #  dotlx  auth-fail  max-attempts  2 


Configuring  the  Inaccessible  Authentication  Bypass  Feature 


You  can  configure  the  inaccessible  bypass  feature,  also  referred  to  as  critical  authentication  or  the  AAA 
fail  policy. 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


6-33 


S    Configuring  IEEE  802.1  x  Authentication 


Chapter  6     Configuring  IEEE  802. 1x  Port-Based  Authentication  | 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  port  as  a  critical  port  and  enable 
the  inaccessible  authentication  bypass  feature.  This  procedure  is  optional. 


Step  1 
Step  2 


Step  3 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

radius-server  dead-criteria  time  time 
tries  tries 

(Optional)  Set  the  conditions  that  are  used  to  decide  when  a  RADIUS 
server  is  considered  unavailable  or  dead. 

The  range  for  time  is  from  1  to  120  seconds.  The  switch  dynamically 
determines  the  default  seconds  value  that  is  10  to  60  seconds. 

The  range  for  tries  is  from  1  to  100.  The  switch  dynamically  determines 
the  default  tries  parameter  that  is  10  to  100. 

radius-server  deadtime  minutes 

(Optional)  Set  the  number  of  minutes  that  a  RADIUS  server  is  not  sent 
requests.  The  range  is  from  0  to  1440  minutes  (24  hours).  The  default  is 
0  minutes. 
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Command 


Purpose 


Step  4 


radius-server  host  ip-address 
[acct-port  udp-port]  [auth-port 
udp-port]  [test  username  name 
[idle-time  time]  [ignore-acct-port] 
[ignore-auth-port]]  [key  string] 


(Optional)  Configure  the  RADIUS  server  parameters  by  using  these 
keywords: 

•  acct-port  udp-port — Specify  the  UDP  port  for  the  RADIUS 
accounting  server.  The  range  for  the  UDP  port  number  is  from  0  to 
65536.  The  default  is  1646. 

•  auth-port  udp-port — Specify  the  UDP  port  for  the  RADIUS 
authentication  server.  The  range  for  the  UDP  port  number  is  from  0 
to  65536.  The  default  is  1645. 

Note  You  should  configure  the  UDP  port  for  the  RADIUS  accounting 
server  and  the  UDP  port  for  the  RADIUS  authentication  server  to 
nondefault  values. 

•  test  username  name — Enable  automated  testing  of  the  RADIUS 

server  status,  and  specify  the  username  to  be  used. 

•  idle-time  time — Set  the  interval  of  time  in  minutes  after  which  the 
switch  sends  test  packets  to  the  server.  The  range  is  from  1  to 
35791  minutes.  The  default  is  60  minutes  (1  hour). 

•  ignore-acct-port — Disable  testing  on  the  RADIUS-server 
accounting  port. 

•  ignore-auth-port — Disable  testing  on  the  RADIUS-server 
authentication  port. 

•  For  key  string,  specify  the  authentication  and  encryption  key  used 
between  the  switch  and  the  RADIUS  daemon  running  on  the 
RADIUS  server.  The  key  is  a  text  string  that  must  match  the 
encryption  key  used  on  the  RADIUS  server. 

Note     Always  configure  the  key  as  the  last  item  in  the  radius-server 
host  command  syntax  because  leading  spaces  are  ignored,  but 
spaces  within  and  at  the  end  of  the  key  are  used.  If  you  use  spaces 
in  the  key,  do  not  enclose  the  key  in  quotation  marks  unless  the 
quotation  marks  are  part  of  the  key.  This  key  must  match  the 
encryption  used  on  the  RADIUS  daemon. You  can  also  configure 
the  authentication  and  encryption  key  by  using  the  radius-server 
key  { 0  string  I  7  string  I  string }  global  configuration  command. 

Note     You  can  also  configure  the  authentication  and  encryption  key  by 
using  the  radius-server  key  {0  string  I  7  string  I  string)  global 
configuration  command. 


Step  5     dotlx  critical  {eapol  I  recovery  delay 

milliseconds } 


(Optional)  Configure  the  parameters  for  inaccessible  authentication 
bypass: 

eapol — Specify  that  the  switch  sends  an  EAPOL-Success  message  when 
the  switch  successfully  authenticates  the  critical  port. 

recovery  delay  milliseconds — Set  the  recovery  delay  period  during 
which  the  switch  waits  to  re-initialize  a  critical  port  when  a  RADIUS 
server  that  was  unavailable  becomes  available.  The  range  is  from  1  to 
10000  milliseconds.  The  default  is  1000  milliseconds  (a  port  can  be 
re-initialized  every  second). 
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Step  6 


Step  7 


Step  8 
Step  9 


Command 

Purpose 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 
For  the  supported  port  types,  see  the  "IEEE  802.  lx  Authentication 
Configuration  Guidelines"  section  on  page  6-21. 

dotlx  critical  [recovery  action 
reinitialize  1  vlan  vlan-id] 

Enable  the  inaccessible  authentication  bypass  feature,  and  use  these 
keywords  to  configure  the  feature: 

•  recovery  action  reinitialize — Enable  the  recovery  feature,  and 
specify  that  the  recovery  action  is  to  authenticate  the  port  when  an 
authentication  server  is  available. 

•  vlan  vlan-id — Specify  the  access  VLAN  to  which  the  switch  can 
assign  a  critical  port.  The  range  is  from  1  to  4094. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx  [interface  interface-id] 

(Optional)  Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  RADIUS  server  default  settings,  use  the  no  radius-server  dead-criteria,  the  no 
radius-server  deadtime,  and  the  no  radius-server  host  global  configuration  commands.  To  return  to 
the  default  settings  of  inaccessible  authentication  bypass,  use  the  no  dotlx  critical  {eapol  I  recovery 
delay}  global  configuration  command.  To  disable  inaccessible  authentication  bypass,  use  the  no  dotlx 
critical  interface  configuration  command. 

This  example  shows  how  to  configure  the  inaccessible  authentication  bypass  feature: 

Switch (config) #  radius-server  dead-criteria  time  30  tries  20 
Switch (config) #  radius-server  deadtime  60 

Switch (config) #  radius-server  host  1.1.1.2  acct-port  1550  auth-port  1560  key  abcl234  test 
username  userl  idle-time  30 

Switch (config) #  dotlx  critical  eapol 

Switch ( config) #  dotlx  critical  recovery  delay  2000 

Switch (config) #  interface  gigabitethernet  0/1 

Switch (config) #  radius-server  deadtime  60 

Switch ( config-if ) #  dotlx  critical 

Switch (config-if) #  dotlx  critical  recovery  action  reinitialize 
Switch (config-if ) #  dotlx  critical  vlan  20 

Switchfconf ig-if ) #  end 


Configuring  IEEE  802.1x  Authentication  with  WoL 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  IEEE  802. lx  authentication  with 
WoL.  This  procedure  is  optional. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 
For  the  supported  port  types,  see  the  "IEEE  802. lx  Authentication 
Configuration  Guidelines"  section  on  page  6-21. 
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Step  3 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

dotlx  control-direction  {both  1  in} 

Enable  IEEE  802.  lx  authentication  with  WoL  on  the  port,  and  use  these 
keywords  to  configure  the  port  as  bidirectional  or  unidirectional. 

•  both — Sets  the  port  as  bidirectional.  The  port  cannot  receive  packets 
from  or  send  packets  to  the  host.  By  default,  the  port  is  bidirectional. 

•  in — Sets  the  port  as  unidirectional.  The  port  can  send  packets  to  the 
host  but  cannot  receive  packets  from  the  host. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx  interface  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  IEEE  802.  lx  authentication  with  WoL,  use  the  no  dotlx  control-direction  interface 
configuration  command. 

This  example  shows  how  to  enable  IEEE  802. lx  authentication  with  WoL  and  set  the  port  as 
bidirectional: 

Switch ( config-if ) #  dotlx  control-direction  both 


Configuring  MAC  Authentication  Bypass 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  MAC  authentication  bypass.  This 
procedure  is  optional. 


Step  2 


Step  4 


Step  5 
Step  6 
Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 
For  the  supported  port  types,  see  the  "IEEE  802. lx  Authentication 
Configuration  Guidelines"  section  on  page  6-21. 

dotlx  port-control  auto 

Enable  IEEE  802.  lx  authentication  on  the  port. 

dotlx  mac-auth-bypass  [eap] 

Enable  MAC  authentication  bypass. 

(Optional)  Use  the  eap  keyword  to  configure  the  switch  to  use  EAP  for 
authorization. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx  interface  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  MAC  authentication  bypass,  use  the  no  dotlx  mac-auth-bypass  interface  configuration 
command. 

This  example  shows  how  to  enable  MAC  authentication  bypass: 

Switch (config-if ) #  dotlx  mac-auth-bypass 
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Configuring  IEEE  802.1x  Authentication  Using  a  RADIUS  Server 

You  can  configure  IEEE  802.  lx  authentication  with  a  RADIUS  server. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  IEEE  802. lx  authentication  with 
a  RADIUS  server.  The  procedure  is  optional. 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

Step  2     interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 

Step  3     dotlx  guest-vlan  vlan-id 

Specify  an  active  VLAN  as  an  IEEE  802.  lx  guest  VLAN.  The  range  is  1 
to  4094. 

You  can  configure  any  active  VLAN  except  an  RSPAN  VLAN,  or  a  voice 
VLAN  as  an  IEEE  802.  lx  guest  VLAN. 

Step  4     dotlx  reauthentication 

Enable  periodic  re-authentication  of  the  client,  which  is  disabled  by 
default. 

Step  5     dotlx  timeout  reauth-period  { seconds  I 
server} 

Set  the  number  of  seconds  between  re-authentication  attempts. 
The  keywords  have  these  meanings: 

•  seconds — Sets  the  number  of  seconds  from  1  to  65535;  the  default  is 
3600  seconds. 

•  server — Sets  the  number  of  seconds  based  on  the  value  of  the 
Session-Timeout  RADIUS  attribute  (Attribute[27])  and  the 
Termination-Action  RADIUS  attribute  (Attribute  [29]). 

This  command  affects  the  behavior  of  the  switch  only  if  periodic 
re-authentication  is  enabled. 

Step  6  end 

Return  to  privileged  EXEC  mode. 

Step  7      show  dotlx  interface  interface-id 

Verify  your  IEEE  802.  lx  authentication  configuration. 

Step  8     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

This  example  shows  how  to  configure  IEEE  802.  lx  using  a  RADIUS  server: 

Switch#  configure  terminal 

Switch (config) #  interface  gigabitethernetO/1 

Switch (config-if) #  dotlx  reauthentication 

Switch (config-if) #  dotlx  timeout  reauth-period  server 


Configuring  Web  Authentication 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  authentication,  authorization, 
accounting  (AAA)  and  RADIUS  on  a  switch  before  configuring  web  authentication.  The  steps  enable 
AAA  by  using  RADIUS  authentication  and  enable  device  tracking. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

aaa  new-model 

Enable  AAA. 
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Command 

Purpose 

Step  3     aaa  authentication  login  default  group 
radius 

Use  RADIUS  authentication.  Before  you  can  use  this  authentication 
method,  you  must  configure  the  RADIUS  server.  For  more 
information,  see  Chapter  5,  "Configuring  Switch-Based 
Authentication." 

The  console  prompts  you  for  a  username  and  password  on  future 
attempts  to  access  the  switch  console  after  entering  the  aaa 
authentication  login  command.  If  you  do  not  want  to  be  prompted  for 
a  username  and  password,  configure  a  second  login  authentication 
list: 

Switch#  config  t 

Switch (config) #  aaa  authentication  login  line-console  none 

Switch ( config) #  line  console  0 

Switch ( config-line ) #  login  authentication  line-console 

Switch (conf ig-line) #  end 

Step  4     aaa  authorization  auth-proxy  default 
group  radius 

Use  RADIUS  for  authentication-proxy  (auth-proxy)  authorization. 

Step  5     radius-server  host  key  radius-key 

Specify  the  authentication  and  encryption  key  for  RADIUS 
communication  between  the  switch  and  the  RADIUS  daemon. 

Step  6     radius-server  attribute  8 
include-in-access-req 

Configure  the  switch  to  send  the  Framed-IP-Address  RADIUS 
attribute  (Attribute[8])  in  access-request  or  accounting-request 
packets. 

Step  7     radius-server  vsa  send  authentication 

Configure  the  network  access  server  to  recognize  and  use 
vendor-specific  attributes  (VSAs). 

Step  8     ip  device  tracking 

Enable  the  IP  device  tracking  table. 

To  disable  the  IP  device  tracking  table,  use  the  no  ip  device  tracking 

global  configuration  commands. 

Step  9  end 

Return  to  privileged  EXEC  mode. 

This  example  shows  how  to  enable  AAA,  use  RADIUS  authentication  and  enable  device  tracking: 


Switch (conf ig)   configure  terminal 
Switch (conf ig) #  aaa  new-model 

Switch (conf ig) #  aaa  authentication  login  default  group  radius 
Switch (conf ig) #  aaa  authorization  auth-proxy  default  group  radius 
Switch (conf ig) #  radius-server  host  key  keyl 

Switch (conf ig) #  radius-server  attribute  8  include-in-access-req 
Switch (conf ig) #  radius-server  vsa  send  authentication 
Switch (conf ig) #  ip  device  tracking 

Switch ( conf ig)  end 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  port  to  use  web  authentication: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

ip  admission  name  rule  proxy  http 

Define  a  web  authentication  rule. 

Note     The  same  rule  cannot  be  used  for  both  web  authentication  and 
NAC  Layer  2  IP  validation. 
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Command 
Step  3     interface  interface-id 

Step  4     switchport  mode  access 
Step  5     ip  access-group  access-list  in 

Purpose 

Specify  the  port  to  be  configured,  and  enter  interface  configuration 
mode. 

Set  the  port  to  access  mode. 

Specify  the  default  access  control  list  to  be  applied  to  network  traffic 
before  web  authentication. 

Step  6     ip  admission  rule 

Apply  an  IP  admission  rule  to  the  interface. 

Step  7  end 

Return  to  privileged  EXEC  mode. 

Step  8     show  running-config  interface 

interface-id 

Verify  your  configuration. 

Step  9     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

This  example  shows  how  to  configure  only  web  authentication  on  a  switch  port: 

Switch*  configure  terminal 

Switch (config) #  ip  admission  name  rulel  proxy  http 
Switch (config) #  interface  gigabitl/0/1 
Switch (config-if) #  switchport  mode  access 
Switch (config-if) #  ip  access-group  policyl  in 
Switch (config-if ) #  ip  admission  rulel 
Switch (config-if ) #  end 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  switch  port  for  IEEE  802.  lx 
authentication  with  web  authentication  as  a  fallback  method: 


Step  1 
Step  2 
Step  3 

Step  4 

Step  5 

Step  6 
Step  7 

Step  8 
Step  9 
Step  10 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  admission  name  rule  proxy  http 

Define  a  web  authentication  rule. 

fallback  profile  fallback-profile 

Define  a  fallback  profile  to  allow  an  IEEE  802.  lx  port  to 
authenticate  a  client  by  using  web  authentication. 

ip  access-group  policy  in 

Specify  the  default  access  control  list  to  apply  to  network  traffic 
before  web  authentication. 

ip  admission  rule 

Associate  an  IP  admission  rule  with  the  profile,  and  specify  that 
a  client  connecting  by  web  authentication  uses  this  rule. 

end 

Return  to  privileged  EXEC  mode. 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface 
configuration  mode. 

switchport  mode  access 

Set  the  port  to  access  mode. 

dotlx  port-control  auto 

Enable  IEEE  802. lx  authentication  on  the  interface. 

dotlx  fallback  fallback-profile 

Configure  the  port  to  authenticate  a  client  by  using  web 
authentication  when  no  IEEE  802.  lx  supplicant  is  detected  on  the 
port.  Any  change  to  the  fallback-profile  global  configuration  takes 
effect  the  next  time  IEEE  802.  lx  fallback  is  invoked  on  the  interface. 

Note     Web  authorization  cannot  be  used  as  a  fallback  method 
for  IEEE  802.  lx  if  the  port  is  configured  for  multidomain 
authentication. 

6-40 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  6    Configuring  IEEE  802.1  x  Port-Based  Authentication 


Configuring  IEEE  802. 1x  Authentication  K 


Command 
Step  11  exit 

Step  12   show  dotlx  interface  interface-id 
Step  13   copy  running-config  startup-config 


Purpose 

Return  to  privileged  EXEC  mode. 
Verify  your  configuration. 

(Optional)  Save  your  entries  in  the  configuration  file. 


This  example  shows  how  to  configure  IEEE  802.  lx  authentication  with  web  authentication  as  a  fallback 
method. 

Switch (config)   configure  terminal 

Switch ( config) #  ip  admission  name  rulel  proxy  http 
Switch (config) #  fallback  profile  fallbackl 

Switch (config- fallback-prof ile) #  ip  access-group  default-policy  in 

Switch (conf ig-f allback-prof ile) #  ip  admission  rulel 

Switch (conf ig-fallback-prof ile) #  exit 

Switch (conf ig) #  interface  gigabitl/0/1 

Switch (conf ig-if) #  switchport  mode  access 

Switch (conf ig-if) #  dotlx  port-control  auto 

Switch (conf ig-if ) #  dotlx  fallback  fallbackl 

Switch (conf ig-if ) #  end 

For  more  information  about  the  ip  admission  name  and  dotlx  fallback  commands,  see  the  command 
reference  for  this  release. 


Disabling  IEEE  802.1x  Authentication  on  the  Port 

You  can  disable  IEEE  802. lx  authentication  on  the  port  by  using  the  no  dotlx  pae  interface 
configuration  command. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  IEEE  802.  lx  authentication  on  the 
port.  This  procedure  is  optional. 


Step  1 
Step  2 
Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 

no  dotlx  pae 

Disable  IEEE  802. lx  authentication  on  the  port. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx  interface  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  configure  the  port  as  an  IEEE  802.  lx  port  access  entity  (PAE)  authenticator,  which  enables 

IEEE  802.  lx  on  the  port  but  does  not  allow  clients  connected  to  the  port  to  be  authorized,  use  the  dotlx 

pae  authenticator  interface  configuration  command. 

This  example  shows  how  to  disable  IEEE  802.  lx  authentication  on  the  port: 

Switch (conf ig) #  interface  gigabitethernetO/1 
Switch (conf ig-if ) #  no  dotlx  pae  authenticator 
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Resetting  the  IEEE  802.1x  Authentication  Configuration  to  the  Default  Values 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  reset  the  IEEE  802.  lx  authentication 
configuration  to  the  default  values.  This  procedure  is  optional. 


Step  1 
Step  2 
Step  3 
Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Enter  interface  configuration  mode,  and  specify  the  port  to  be  configured. 

dotlx  default 

Reset  the  IEEE  802.  lx  parameters  to  the  default  values. 

end 

Return  to  privileged  EXEC  mode. 

show  dotlx  interface  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Displaying  IEEE  802.1x  Statistics  and  Status 

To  display  IEEE  802. lx  statistics  for  all  ports,  use  the  show  dotlx  all  statistics  privileged  EXEC 
command.  To  display  IEEE  802. lx  statistics  for  a  specific  port,  use  the  show  dotlx  statistics  interface 

interface-id  privileged  EXEC  command. 

To  display  the  IEEE  802. lx  administrative  and  operational  status  for  the  switch,  use  the  show  dotlx  all 
[details  I  statistics  I  summary]  privileged  EXEC  command.  To  display  the  IEEE  802.  lx  administrative 
and  operational  status  for  a  specific  port,  use  the  show  dotlx  interface  interface-id  privileged  EXEC 
command. 

For  detailed  information  about  the  fields  in  these  displays,  see  the  command  reference  for  this  release. 
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CHAPTER 


Configuring  Interface  Characteristics 


This  chapter  defines  the  types  of  interfaces  on  the  switch  and  describes  how  to  configure  them. 
The  chapter  consists  of  these  sections: 

•  Understanding  Interface  Types,  page  7-1 

•  Using  Interface  Configuration  Mode,  page  7-4 

•  Configuring  Ethernet  Interfaces,  page  7-9 

•  Configuring  the  System  MTU,  page  7-14 

•  Monitoring  and  Maintaining  the  Interfaces,  page  7-16 

%   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  switch 

command  reference  for  this  release  and  the  online  Cisco  IOS  Interface  Command  Reference, 

Release  12.2. 


Understanding  Interface  Types 

This  section  describes  the  different  types  of  interfaces  supported  by  the  switch  with  references  to 
chapters  that  contain  more  detailed  information  about  configuring  these  interface  types.  The  rest  of  the 
chapter  describes  configuration  procedures  for  physical  interface  characteristics. 

These  sections  describe  the  interface  types: 

•  Port-Based  VLANs,  page  7-1 

•  Switch  Ports,  page  7-2 

•  EtherChannel  Port  Groups,  page  7-3 

•  Connecting  Interfaces,  page  7-4 

Port-Based  VLANs 

A  VLAN  is  a  switched  network  that  is  logically  segmented  by  function,  team,  or  application,  without 
regard  to  the  physical  location  of  the  users.  For  more  information  about  VLANs,  see  Chapter  9, 
"Configuring  VLANs."  Packets  received  on  a  port  are  forwarded  only  to  ports  that  belong  to  the  same 
VLAN  as  the  receiving  port.  Network  devices  in  different  VLANs  cannot  communicate  with  one  another 
without  a  Layer  3  device  to  route  traffic  between  the  VLANs. 
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VLAN  partitions  provide  hard  firewalls  for  traffic  in  the  VLAN,  and  each  VLAN  has  its  own  MAC 
address  table.  A  VLAN  comes  into  existence  when  a  local  port  is  configured  to  be  associated  with  the 
VLAN,  when  the  VLAN  Trunking  Protocol  (VTP)  learns  of  its  existence  from  a  neighbor  on  a  trunk,  or 
when  a  user  creates  a  VLAN. 

To  configure  normal-range  VLANs  (VLAN  IDs  1  to  1005),  use  the  vlan  vlan-id  global  configuration 
command  to  enter  config-vlan  mode  or  the  vlan  database  privileged  EXEC  command  to  enter  VLAN 
database  configuration  mode.  The  VLAN  configurations  for  VLAN  IDs  1  to  1005  are  saved  in  the  VLAN 
database.  To  configure  extended-range  VLANs  (VLAN  IDs  1006  to  4094),  you  must  use  config-vlan 
mode  with  VTP  mode  set  to  transparent.  Extended-range  VLANs  are  not  added  to  the  VLAN  database. 
When  VTP  mode  is  transparent,  the  VTP  and  VLAN  configuration  is  saved  in  the  switch  running 
configuration,  and  you  can  save  it  in  the  switch  startup  configuration  file  by  entering  the  copy 
running-config  startup-config  privileged  EXEC  command. 

Add  ports  to  a  VLAN  by  using  the  switchport  interface  configuration  commands: 

•  Identify  the  interface. 

•  For  a  trunk  port,  set  trunk  characteristics,  and  if  desired,  define  the  VLANs  to  which  it  can  belong. 

•  For  an  access  port,  set  and  define  the  VLAN  to  which  it  belongs. 

Switch  Ports 

Switch  ports  are  Layer  2-only  interfaces  associated  with  a  physical  port.  Switch  ports  belong  to  one  or 
more  VLANs.  A  switch  port  can  be  an  access  port  or  a  trunk  port.  You  can  configure  a  port  as  an  access 
port  or  trunk  port  or  let  the  Dynamic  Trunking  Protocol  (DTP)  operate  on  a  per-port  basis  to  set  the 
switchport  mode  by  negotiating  with  the  port  on  the  other  end  of  the  link.  Switch  ports  are  used  for 
managing  the  physical  interface  and  associated  Layer  2  protocols. 

Configure  switch  ports  by  using  the  switchport  interface  configuration  commands. 

For  detailed  information  about  configuring  access  port  and  trunk  port  characteristics,  see  Chapter  9, 
"Configuring  VLANs." 

Access  Ports 

An  access  port  belongs  to  and  carries  the  traffic  of  only  one  VLAN  (unless  it  is  configured  as  a  voice 
VLAN  port).  Traffic  is  received  and  sent  in  native  formats  with  no  VLAN  tagging.  Traffic  arriving  on 
an  access  port  is  assumed  to  belong  to  the  VLAN  assigned  to  the  port.  If  an  access  port  receives  a  tagged 
packet  (Inter-Switch  Link  [ISL]  or  IEEE  802. 1Q  tagged),  the  packet  is  dropped,  and  the  source  address 
is  not  learned. 

Two  types  of  access  ports  are  supported: 

•  Static  access  ports  are  manually  assigned  to  a  VLAN  (or  through  a  RADIUS  server  for  use  with 
IEEE  802.  lx.  For  more  information,  see  the  "Using  IEEE  802.  lx  Authentication  with  VLAN 
Assignment"  section  on  page  6-10.) 

•  VLAN  membership  of  dynamic  access  ports  is  learned  through  incoming  packets.  By  default,  a 
dynamic  access  port  is  not  a  member  of  any  VLAN,  and  forwarding  to  and  from  the  port  is  enabled 
only  when  the  VLAN  membership  of  the  port  is  discovered.  Dynamic  access  ports  on  the  switch  are 
assigned  to  a  VLAN  by  a  VLAN  Membership  Policy  Server  (VMPS).  The  VMPS  can  be  a 
Catalyst  6500  series  switch;  theCatalyst  switch  cannot  be  a  VMPS  server. 

You  can  also  configure  an  access  port  with  an  attached  Cisco  IP  Phone  to  use  one  VLAN  for  voice  traffic 
and  another  VLAN  for  data  traffic  from  a  device  attached  to  the  phone.  For  more  information  about 
voice  VLAN  ports,  see  Chapter  11,  "Configuring  Voice  VLAN." 
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Trunk  Ports 

A  trunk  port  carries  the  traffic  of  multiple  VLANs  and  by  default  is  a  member  of  all  VLANs  in  the  VLAN 
database.  These  trunk  port  types  are  supported: 

•  In  an  ISL  trunk  port,  all  received  packets  are  expected  to  be  encapsulated  with  an  ISL  header,  and 
all  transmitted  packets  are  sent  with  an  ISL  header.  Native  (non-tagged)  frames  received  from  an 
ISL  trunk  port  are  dropped. 

•  An  IEEE  802. 1Q  trunk  port  supports  simultaneous  tagged  and  untagged  traffic.  An  IEEE  802. 1Q 
trunk  port  is  assigned  a  default  port  VLAN  ID  (PVID),  and  all  untagged  traffic  travels  on  the  port 
default  PVID.  All  untagged  traffic  and  tagged  traffic  with  a  NULL  VLAN  ID  are  assumed  to  belong 
to  the  port  default  PVID.  A  packet  with  a  VLAN  ID  equal  to  the  outgoing  port  default  PVID  is  sent 
untagged.  All  other  traffic  is  sent  with  a  VLAN  tag. 

Although  by  default,  a  trunk  port  is  a  member  of  every  VLAN  known  to  the  VTP,  you  can  limit  VLAN 
membership  by  configuring  an  allowed  list  of  VLANs  for  each  trunk  port.  The  list  of  allowed  VLANs 
does  not  affect  any  other  port  but  the  associated  trunk  port.  By  default,  all  possible  VLANs  (VLAN  ID  1 
to  4094)  are  in  the  allowed  list.  A  trunk  port  can  become  a  member  of  a  VLAN  only  if  VTP  knows  of 
the  VLAN  and  if  the  VLAN  is  in  the  enabled  state.  If  VTP  learns  of  a  new,  enabled  VLAN  and  the  VLAN 
is  in  the  allowed  list  for  a  trunk  port,  the  trunk  port  automatically  becomes  a  member  of  that  VLAN  and 
traffic  is  forwarded  to  and  from  the  trunk  port  for  that  VLAN.  If  VTP  learns  of  a  new,  enabled  VLAN 
that  is  not  in  the  allowed  list  for  a  trunk  port,  the  port  does  not  become  a  member  of  the  VLAN,  and  no 
traffic  for  the  VLAN  is  forwarded  to  or  from  the  port. 

For  more  information  about  trunk  ports,  see  Chapter  9,  "Configuring  VLANs." 

EtherChannel  Port  Groups 

EtherChannel  port  groups  treat  multiple  switch  ports  as  one  switch  port.  These  port  groups  act  as  a  single 
logical  port  for  high-bandwidth  connections  between  switches  or  between  switches  and  servers.  An 
EtherChannel  balances  the  traffic  load  across  the  links  in  the  channel.  If  a  link  within  the  EtherChannel 
fails,  traffic  previously  carried  over  the  failed  link  changes  to  the  remaining  links.  You  can  group 
multiple  trunk  ports  into  one  logical  trunk  port  or  multiple  access  ports  into  one  logical  access  port. 

Most  protocols  operate  over  either  single  ports  or  aggregated  switch  ports  and  do  not  recognize  the 
physical  ports  within  the  port  group.  Exceptions  are  the  DTP,  the  Cisco  Discovery  Protocol  (CDP),  and 
the  Port  Aggregation  Protocol  (PAgP),  which  operate  only  on  physical  ports. 

When  you  configure  an  EtherChannel,  you  create  a  port-channel  logical  interface  and  assign  an  interface 
to  the  EtherChannel.  Use  the  channel-group  interface  configuration  command  to  dynamically  create  the 
port-channel  logical  interface.  This  command  binds  the  physical  and  logical  ports  together.  For  more 
information,  see  Chapter  28,  "Configuring  EtherChannels  and  Layer  2  Trunk  Failover." 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


-3 


H    Using  Interface  Configuration  Mode 


Chapter  7     Configuring  Interface  Characteristics  | 


Connecting  Interfaces 

Devices  within  a  single  VLAN  can  communicate  directly  through  any  switch.  Ports  in  different  VLANs 
cannot  exchange  data  without  going  through  a  routing  device.  In  the  configuration  shown  in  Figure  7-1, 
when  Blade  Server  A  in  VLAN  20  sends  data  to  Blade  Server  B  in  VLAN  30,  the  data  must  go  from 
Blade  Server  A  to  the  switch,  to  the  router,  back  to  the  switch,  and  then  to  Blade  Server  B. 


Figure  7-1  Connecting  VLANs  with  Layer  2  Switches 


Using  Interface  Configuration  Mode 

The  switch  supports  these  interface  types: 

•  Physical  ports — switch  ports 

•  VLANs — switch  virtual  interfaces 

•  Port  channels — EtherChannel  interfaces 

You  can  also  configure  a  range  of  interfaces  (see  the  "Configuring  a  Range  of  Interfaces"  section  on 
page  7-6). 

To  configure  a  physical  interface  (port),  specify  the  interface  type,  module  number,  and  switch  port  number, 
and  enter  interface  configuration  mode. 

•  Type — Gigabit  Ethernet  (gigabitethernet  or  gi)  for  10/100/1000  Mb/s  Ethernet  port  or  small 
form-factor  pluggable  (SFP)  module  Gigabit  Ethernet  interfaces. 

•  Module  number — The  module  or  slot  number  on  the  switch  (always  0  on  theswitch). 

You  can  identify  physical  interfaces  by  physically  checking  the  interface  location  on  the  switch.  You 
can  also  use  the  show  privileged  EXEC  commands  to  display  information  about  a  specific  interface  or 
all  the  interfaces  on  the  switch.  The  remainder  of  this  chapter  primarily  provides  physical  interface 
configuration  procedures. 
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Procedures  for  Configuring  Interfaces 

These  general  instructions  apply  to  all  interface  configuration  processes. 


Step  1      Enter  the  configure  terminal  command  at  the  privileged  EXEC  prompt: 

Switch#  configure  terminal 

Enter  configuration  commands,   one  per  line.   End  with  CNTL/Z. 
Switch (conf ig) # 

Step  2      Enter  the  interface  global  configuration  command.  Identify  the  interface  type  and  the  number  of  the 
connector.  In  this  example,  Gigabit  Ethernet  port  1  is  selected: 

Switch (conf ig) #  interface  gigabitethernetO/1 

Switch (conf ig-if ) # 

X   

Note  You  do  not  need  to  add  a  space  between  the  interface  type  and  interface  number.  For  example, 
in  the  preceding  line,  you  can  specify  either  gigabitethernet  0/1,  gigabitethernetO/1,  gi  0/1,  or 
giO/1. 


Step  3      Follow  each  interface  command  with  the  interface  configuration  commands  that  the  interface  requires. 
The  commands  that  you  enter  define  the  protocols  and  applications  that  will  run  on  the  interface.  The 
commands  are  collected  and  applied  to  the  interface  when  you  enter  another  interface  command  or  enter 
end  to  return  to  privileged  EXEC  mode. 

You  can  also  configure  a  range  of  interfaces  by  using  the  interface  range  or  interface  range  macro 
global  configuration  commands.  Interfaces  configured  in  a  range  must  be  the  same  type  and  must  be 
configured  with  the  same  feature  options. 

Step  4      After  you  configure  an  interface,  verify  its  status  by  using  the  show  privileged  EXEC  commands  listed 
in  the  "Monitoring  and  Maintaining  the  Interfaces"  section  on  page  7-16. 


Enter  the  show  interfaces  privileged  EXEC  command  to  see  a  list  of  all  interfaces  on  or  configured  for 
the  switch.  A  report  is  provided  for  each  interface  that  the  device  supports  or  for  the  specified  interface. 
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Configuring  a  Range  of  Interfaces 

You  can  use  the  interface  range  global  configuration  command  to  configure  multiple  interfaces  with 
the  same  configuration  parameters.  When  you  enter  the  interface-range  configuration  mode,  all 
command  parameters  that  you  enter  are  attributed  to  all  interfaces  within  that  range  until  you  exit  this 
mode. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  range  of  interfaces  with  the 
same  parameters: 


Step  1 


Step  3 

Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  range  {port-range  I  macro 
macro  _name] 

Specify  the  range  of  interfaces  (VLANs  or  physical  ports)  to  be 
configured,  and  enter  interface-range  configuration  mode. 

•  You  can  use  the  interface  range  command  to  configure  up  to  five 
port  ranges  or  a  previously  defined  macro. 

•  The  macro  variable  is  explained  in  the  "Configuring  and  Using 
Interface  Range  Macros"  section  on  page  7-7. 

•  In  a  comma-separated  port-range,  you  must  enter  the  interface 
type  for  each  entry  and  enter  spaces  before  and  after  the  comma. 

•  In  a  hyphen-separated  port-range,  you  do  not  need  to  re-enter  the 
interface  type,  but  you  must  enter  a  space  before  the  hyphen. 

Use  the  normal  configuration  commands  to  apply  the  configuration 
parameters  to  all  interfaces  in  the  range.  Each  command  is  executed 
as  it  is  entered. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  [interface-id] 

Verify  the  configuration  of  the  interfaces  in  the  range. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

When  using  the  interface  range  global  configuration  command,  note  these  guidelines: 
•    Valid  entries  for  port-range: 

-  vlan  vlan-ID,  where  the  VLAN  ID  is  1  to  4094 

X   

Note     Although  the  command-line  interface  shows  options  to  set  multiple  VLANs,  these 
options  are  not  supported. 

-  gigabitethernet  module/ {first  port}  -  {last  port),  where  the  module  is  always  0 

-  port-channel  port-channel-number  -  port-channel-number,  where  the  port-channel-number 
is  1  to  48 

V   

Note     When  you  use  the  interface  range  command  with  port  channels,  the  first  and  last 
port-channel  number  must  be  active  port  channels. 
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•  You  must  add  a  space  between  the  first  interface  number  and  the  hyphen  when  using  the 
interface  range  command.  For  example,  the  command  interface  range  gigabitethernetO/1  -  4  is  a 
valid  range;  the  command  interface  range  gigabitethernetO/1-4  is  not  a  valid  range. 

•  The  interface  range  command  only  works  with  VLAN  interfaces  that  have  been  configured  with 
the  interface  vlan  command.  The  show  running-config  privileged  EXEC  command  displays  the 
configured  VLAN  interfaces.  VLAN  interfaces  not  displayed  by  the  show  running-config 
command  cannot  be  used  with  the  interface  range  command. 

•  All  interfaces  defined  in  a  range  must  be  the  same  type  (all  Gigabit  Ethernet  ports,  all  EtherChannel 
ports,  or  all  VLANs),  but  you  can  enter  multiple  ranges  in  a  command. 

This  example  shows  how  to  use  the  interface  range  global  configuration  command  to  set  the  speed  on 
ports  1  to  4  to  100  Mb/s: 

Switch*  configure  terminal 

Switch (config) #  interface  range  gigabitethernetO/1  -  4 

Switch (conf ig-if-range) #  speed  100 

If  you  enter  multiple  configuration  commands  while  you  are  in  interface-range  mode,  each  command  is 
executed  as  it  is  entered.  The  commands  are  not  batched  and  executed  after  you  exit  interface-range 
mode.  If  you  exit  interface-range  configuration  mode  while  the  commands  are  being  executed,  some 
commands  might  not  be  executed  on  all  interfaces  in  the  range.  Wait  until  the  command  prompt 
reappears  before  exiting  interface-range  configuration  mode. 


Configuring  and  Using  Interface  Range  Macros 


You  can  create  an  interface  range  macro  to  automatically  select  a  range  of  interfaces  for  configuration. 
Before  you  can  use  the  macro  keyword  in  the  interface  range  macro  global  configuration  command 
string,  you  must  use  the  define  interface-range  global  configuration  command  to  define  the  macro. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  define  an  interface  range  macro: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

define  interface-range  macro_name 
interface-range 

Define  the  interface-range  macro,  and  save  it  in  NVRAM. 

•  The  macro_name  is  a  32-character  maximum  character  string. 

•  A  macro  can  contain  up  to  five  comma-separated  interface 
ranges. 

•  Each  interface-range  must  consist  of  the  same  port  type. 

interface  range  macro  macro_name 

Select  the  interface  range  to  be  configured  using  the  values  saved  in 
the  interface-range  macro  called  macro_name. 

You  can  now  use  the  normal  configuration  commands  to  apply  the 
configuration  to  all  interfaces  in  the  defined  macro. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config  1  include  define 

Show  the  defined  interface  range  macro  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


Step  4 
Step  5 
Step  6 


Use  the  no  define  interface-range  macro_name  global  configuration  command  to  delete  a  macro. 
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When  using  the  define  interface-range  global  configuration  command,  note  these  guidelines: 
•    Valid  entries  for  interface -range: 

-  vlan  vlan-ID,  where  the  VLAN  ID  is  1  to  4094 


Note     Although  the  command-line  interface  shows  options  to  set  multiple  VLANs,  these 
options  are  not  supported. 

-  gigabitethernet  module/ {first port]  -  {last port),  where  the  module  is  always  0 

-  port-channel  port-channel-number  -  port-channel-number,  where  the  port-channel-number 
is  1  to  48. 

V   

Note     When  you  use  the  interface  ranges  with  port  channels,  the  first  and  last  port-channel 
number  must  be  active  port  channels. 


•  You  must  add  a  space  between  the  first  interface  number  and  the  hyphen  when  entering  an 
interface-range.  For  example,  gigabitethernetO/1  -  4  is  a  valid  range;  gigabitethernetO/1-4  is  not 

a  valid  range. 

•  The  VLAN  interfaces  must  have  been  configured  with  the  interface  vlan  command.  The  show 
running-config  privileged  EXEC  command  displays  the  configured  VLAN  interfaces.  VLAN 
interfaces  not  displayed  by  the  show  running-config  command  cannot  be  used  as  interface-ranges. 

•  All  interfaces  defined  as  in  a  range  must  be  the  same  type  (all  Gigabit  Ethernet  ports,  all 
EtherChannel  ports,  or  all  VLANs),  but  you  can  combine  multiple  interface  types  in  a  macro. 

This  example  shows  how  to  define  an  interface-range  named  enet_list  to  include  ports  1  and  2  and  to 
verify  the  macro  configuration: 

Switch#  configure  terminal 

Switch (config) #  define  interface-range  enet_list  gigabitethernetO/1  -  2 

Switch (config) #  end 

Switch*  show  running-config   |   include  define 

define  interface-range  enet_list  GigabitEthernetO / 1  -  2 

This  example  shows  how  to  create  a  multiple-interface  macro  named  macro  1: 

Switch*  configure  terminal 

Switch (config) #  define  interface-range  macrol  gigabitethernetO/1  -  2, 
gigabitethernetO/5  -  7 

Switch (config) #  end 

This  example  shows  how  to  enter  interface-range  configuration  mode  for  the  interface-range 
macro  enet_list: 

Switch*  configure  terminal 

Switch (config) #  interface  range  macro  enet_list 

Switch (conf ig-if-range) # 

This  example  shows  how  to  delete  the  interface-range  macro  enet_list  and  to  verify  that  it  was  deleted. 

Switch*  configure  terminal 

Switch (conf ig) #  no  define  interface-range  enet_list 

Switch (conf ig) #  end 

Switch*  show  run   |   include  define 

Switch* 
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Configuring  Ethernet  Interfaces 

These  sections  contain  this  configuration  information: 

•  Default  Ethernet  Interface  Configuration,  page  7-9 

•  Interface  Speed  and  Duplex  Mode,  page  7-10 

•  Configuring  IEEE  802. 3x  Flow  Control,  page  7-12 

•  Configuring  Auto-MDIX  on  an  Interface,  page  7-13 

•  Adding  a  Description  for  an  Interface,  page  7-14 

Default  Ethernet  Interface  Configuration 

Table  7-1  shows  the  Ethernet  interface  default  configuration.  For  more  details  on  the  VLAN  parameters 
listed  in  the  table,  see  Chapter  9,  "Configuring  VLANs."  For  details  on  controlling  traffic  to  the  port, 
see  Chapter  18,  "Configuring  Port-Based  Traffic  Control." 

Table  7- 1  Default  Layer  2  Ethernet  Interface  Configuration 


Feature 

Default  Setting 

Allowed  VLAN  range 

VLANs  1  to  4094. 

Default  VLAN  (for  access  ports) 

VLAN  1. 

Native  VLAN  (for  IEEE  802. 1Q 
trunks) 

VLAN  1. 

VLAN  trunking 

Switchport  mode  dynamic  auto  (supports  DTP). 

Port  enable  state 

All  ports  are  enabled. 

Port  description 

None  defined. 

Speed 

Autonegotiate. 

Duplex  mode 

Autonegotiate. 

Flow  control 

Flow  control  is  set  to  receive:  off.  It  is  always  off  for  sent  packets. 

EtherChannel  (PAgP) 

Disabled  on  all  Ethernet  ports.  See  Chapter  28,  "Configuring 
EtherChannels  and  Layer  2  Trunk  Failover." 

Port  blocking  (unknown  multicast 
and  unknown  unicast  traffic) 

Disabled  (not  blocked).  See  the  "Configuring  Port  Blocking" 
section  on  page  18-6. 

Broadcast,  multicast,  and  unicast 
storm  control 

Disabled.  See  the  "Default  Storm  Control  Configuration"  section 
on  page  18-3. 

Protected  port 

Disabled.  See  the  "Configuring  Protected  Ports"  section  on 
page  18-5. 

Port  security 

Disabled.  See  the  "Default  Port  Security  Configuration"  section 
on  page  18-10. 
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Table  7-1  Default  Layer  2  Ethernet  Interface  Configuration  (continued) 


Feature 

Default  Setting 

Port  Fast 

Disabled.  See  the  "Default  Optional  Spanning-Tree 
Configuration"  section  on  page  14-9. 

Auto-MDIX 

Enabled. 

Note     The  switch  might  not  support  a  pre-standard  powered 

device — such  as  Cisco  IP  phones  and  access  points  that  do 
not  fully  support  IEEE  802. 3af — if  that  powered  device  is 
connected  to  the  switch  through  a  crossover  cable.  This  is 
regardless  of  whether  auto-MIDX  is  enabled  on  the  switch 
port. 

Interface  Speed  and  Duplex  Mode 

Ethernet  interfaces  on  the  switch  operate  at  10,  100,  or  1000  Mb/s  and  in  either  full-  or  half-duplex  mode. 
In  full-duplex  mode,  two  stations  can  send  and  receive  traffic  at  the  same  time.  Normally,  10-Mb/s  ports 
operate  in  half-duplex  mode,  which  means  that  stations  can  either  receive  or  send  traffic. 

Switch  models  include  Gigabit  Ethernet  ( 10/1 00/1 000-Mb/s)  ports  and  small  form-factor  pluggable 
(SFP)  module  slots  supporting  SFP  modules. 

These  sections  describe  how  to  configure  the  interface  speed  and  duplex  mode: 

•  Speed  and  Duplex  Configuration  Guidelines,  page  7-10 

•  Setting  the  Interface  Speed  and  Duplex  Parameters,  page  7-11 

Speed  and  Duplex  Configuration  Guidelines 

When  configuring  an  interface  speed  and  duplex  mode,  note  these  guidelines: 

•  Gigabit  Ethernet  (10/100/1000-Mb/s)  ports  support  all  speed  options  and  all  duplex  options  (auto, 
half,  and  full).  However,  Gigabit  Ethernet  ports  operating  at  1000  Mb/s  do  not  support  half-duplex 
mode. 

•  For  SFP  module  ports,  the  speed  and  duplex  CLI  options  change  depending  on  the  SFP  module  type: 

-  The  lOOOBASE-x  (where  -x  is  -BX,  -CWDM,  -LX,  -SX,  and  -ZX)  SFP  module  ports  support 
the  nonegotiate  keyword  in  the  speed  interface  configuration  command.  Duplex  options  are  not 
supported. 

-  The  1000BASE-T  SFP  module  ports  support  the  same  speed  and  duplex  options  as  the 
10/100/1000-Mbps  ports. 

-  The  lOOBASE-x  (where  -x  is  -BX,  -CWDM,  -LX,  -SX,  and  -ZX)  SFP  module  ports  support  only 
100  Mbps.  These  modules  support  full-  and  half-  duplex  options  but  do  not  support 
autonegotiation. 

For  information  about  which  SFP  modules  are  supported  on  your  switch,  see  the  product 
release  notes. 

•  You  cannot  configure  duplex  mode  on  SFP  module  ports;  they  operate  in  full-duplex  mode  except 
in  these  situations: 

-  You  can  configure  Cisco  1000BASE-T  SFP  modules  for  auto,  full,  or  half-duplex  mode. 

-  Cisco  1000BASE-SX  SFP  modules  can  operate  only  in  full-duplex  mode. 
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•  If  you  are  connected  to  a  device  that  does  not  support  autonegotiation,  you  can  configure  speed  on 
copper  SFP  module  ports;  however,  you  can  only  configure  fiber  SFP  module  ports  to  not  negotiate 
(nonegotiate). 

•  If  both  ends  of  the  line  support  autonegotiation,  we  highly  recommend  the  default  setting  of  auto 
negotiation. 

•  If  one  interface  supports  autonegotiation  and  the  other  end  does  not,  configure  duplex  and  speed  on 
both  interfaces;  do  not  use  the  auto  setting  on  the  supported  side. 

•  When  STP  is  enabled  and  a  port  is  reconfigured,  the  switch  can  take  up  to  30  seconds  to  check  for 
loops.  The  port  LED  is  amber  while  STP  reconfigures. 

A   

Caution      Changing  the  interface  speed  and  duplex  mode  configuration  might  shut  down  and  re-enable  the 
interface  during  the  reconfiguration. 


Setting  the  Interface  Speed  and  Duplex  Parameters 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  set  the  speed  and  duplex  mode  for  a  physical 
interface: 
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configuration  mode. 

speed  {10  1  100  1  1000  1  auto  [10  1  100  1 
1000]  1  nonegotiate} 

Enter  the  appropriate  speed  parameter  for  the  interface: 

•  Enter  10,  100,  or  1000  to  set  a  specific  speed  for  the  interface. 
The  1000  keyword  is  available  only  for  10/100/1000  Mb/s  ports. 

•  Enter  auto  to  enable  the  interface  to  autonegotiate  speed  with  the 
connected  device.  If  you  use  the  10,  100,  or  the  1000  keywords 
with  the  auto  keyword,  the  port  autonegotiates  only  at  the 
specified  speeds. 

•  The  nonegotiate  keyword  is  available  only  for  SFP  module  ports. 
SFP  module  ports  operate  only  at  1000  Mb/s  but  can  be 
configured  to  not  negotiate  if  connected  to  a  device  that  does  not 
support  autonegotiation. 

For  more  information  about  speed  settings,  see  the  "Speed  and 
Duplex  Configuration  Guidelines"  section  on  page  7-10. 

duplex  { auto  1  full  1  half  J 

Enter  the  duplex  parameter  for  the  interface. 

Enable  half-duplex  mode  (for  interfaces  operating  only  at  10  or 
100  Mb/s).  You  cannot  configure  half-duplex  mode  for  interfaces 
operating  at  1000  Mb/s. 

For  more  information  about  duplex  settings,  see  the  "Speed  and 
Duplex  Configuration  Guidelines"  section  on  page  7-10. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id 

Display  the  interface  speed  and  duplex  mode  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 

Step  3 


Step  5 
Step  6 
Step  7 
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Use  the  no  speed  and  no  duplex  interface  configuration  commands  to  return  the  interface  to  the  default 
speed  and  duplex  settings  (autonegotiate).  To  return  all  interface  settings  to  the  defaults,  use  the  default 
interface  interface-id  interface  configuration  command. 

This  example  shows  how  to  set  the  interface  speed  to  100  Mb/s  on  a  10/100/1000  Mb/s  port: 

Switch*  configure  terminal 

Switch (config) #  interface  gigabitethernetO/2 

Switch (config-if) #  speed  100 


Configuring  IEEE  802.3x  Flow  Control 

Flow  control  enables  connected  Ethernet  ports  to  control  traffic  rates  during  congestion  by  allowing 
congested  nodes  to  pause  link  operation  at  the  other  end.  If  one  port  experiences  congestion  and  cannot 
receive  any  more  traffic,  it  notifies  the  other  port  by  sending  a  pause  frame  to  stop  sending  until  the 
condition  clears.  Upon  receipt  of  a  pause  frame,  the  sending  device  stops  sending  any  data  packets, 
which  prevents  any  loss  of  data  packets  during  the  congestion  period. 


Note      Switchports  can  receive,  but  not  send,  pause  frames. 


You  use  the  flowcontrol  interface  configuration  command  to  set  the  interface's  ability  to  receive  pause 
frames  to  on,  off,  or  desired.  The  default  state  is  off. 

When  set  to  desired,  an  interface  can  operate  with  an  attached  device  that  is  required  to  send 
flow-control  packets  or  with  an  attached  device  that  is  not  required  to  but  can  send  flow-control  packets. 

These  rules  apply  to  flow  control  settings  on  the  device: 

•  receive  on  (or  desired):  The  port  cannot  send  pause  frames  but  can  operate  with  an  attached  device 
that  is  required  to  or  can  send  pause  frames;  the  port  can  receive  pause  frames. 

•  receive  off:  Flow  control  does  not  operate  in  either  direction.  In  case  of  congestion,  no  indication 
is  given  to  the  link  partner,  and  no  pause  frames  are  sent  or  received  by  either  device. 


Note      For  details  on  the  command  settings  and  the  resulting  flow  control  resolution  on  local  and  remote  ports, 
see  the  flowcontrol  interface  configuration  command  in  the  command  reference  for  this  release. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  flow  control  on  an  interface: 


Step  1 
Step  2 

Step  3 
Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode 

interface  interface-id 

Specify  the  physical  interface  to  be  configured,  and  enter 
interface  configuration  mode. 

flowcontrol  { receive }  { on  I  off  I  desired } 

Configure  the  flow  control  mode  for  the  port. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id 

Verify  the  interface  flow  control  settings. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  disable  flow  control,  use  the  flowcontrol  receive  off  interface  configuration  command. 
This  example  shows  how  to  turn  on  flow  control  on  a  port: 

Switch#  configure  terminal 

Switch (config) #  interface  gigabitethernetO/1 
Switch ( config-if ) #  flowcontrol  receive  on 

Switch(conf ig-if ) #  end 


Configuring  Auto-MDIX  on  an  Interface 

When  automatic  medium-dependent  interface  crossover  (auto-MDIX)  is  enabled  on  an  interface,  the 
interface  automatically  detects  the  required  cable  connection  type  (straight  through  or  crossover)  and 
configures  the  connection  appropriately.  When  connecting  switches  without  the  auto-MDIX  feature,  you 
must  use  straight-through  cables  to  connect  to  devices  such  as  servers,  workstations,  or  routers  and 
crossover  cables  to  connect  to  other  switches  or  repeaters.  With  auto-MDIX  enabled,  you  can  use  either 
type  of  cable  to  connect  to  other  devices,  and  the  interface  automatically  corrects  for  any  incorrect 
cabling.  For  more  information  about  cabling  requirements,  see  the  hardware  installation  guide. 

Auto-MDIX  is  enabled  by  default.  When  you  enable  auto-MDIX,  you  must  also  set  the  interface  speed 
and  duplex  to  auto  so  that  the  feature  operates  correctly.  Auto-MDIX  is  supported  on  all 
10/100/1000-Mb/s  interfaces  and  on  10/100/1000BASE-T  SFP-module  interfaces.  It  is  not  supported  on 
1000BASE-SX  or  -LX  SFP  module  interfaces. 

Table  7-2  shows  the  link  states  that  result  from  auto-MDIX  settings  and  correct  and  incorrect  cabling. 


Table  7-2  Link  Conditions  and  Auto-MDIX  Settings 


Local  Side  Auto-MDIX 

Remote  Side  Auto-MDIX 

With  Correct  Cabling 

With  Incorrect  Cabling 

On 

On 

Link  up 

Link  up 

On 

Off 

Link  up 

Link  up 

Off 

On 

Link  up 

Link  up 

Off 

Off 

Link  up 

Link  down 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  auto-MDIX  on  an  interface: 


Step  1 
Step  2 

Step  3 
Step  4 

Step  5 
Step  6 
Step  7 

Step  8 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode 

interface  interface-id 

Specify  the  physical  interface  to  be  configured,  and  enter  interface 
configuration  mode. 

speed  auto 

Configure  the  interface  to  autonegotiate  speed  with  the  connected  device. 

duplex  auto 

Configure  the  interface  to  autonegotiate  duplex  mode  with  the  connected 
device. 

mdix  auto 

Enable  auto-MDIX  on  the  interface. 

end 

Return  to  privileged  EXEC  mode. 

show  controllers  ethernet-controller 

interface-id  phy 

Verify  the  operational  state  of  the  auto-MDIX  feature  on  the  interface. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  disable  auto-MDIX,  use  the  no  mdix  auto  interface  configuration  command. 
This  example  shows  how  to  enable  auto-MDIX  on  a  port: 

Switch#  configure  terminal 

Switch (config) #  interface  gigabitethernetO/1 

Switch (config-if) #  speed  auto 
Switch (config-if) #  duplex  auto 
Switch (config-if ) #  mdix  auto 
Switch (config-if ) #  end 


Adding  a  Description  for  an  Interface 


You  can  add  a  description  about  an  interface  to  help  you  remember  its  function.  The  description  appears 
in  the  output  of  these  privileged  EXEC  commands:  show  configuration,  show  running-config,  and 
show  interfaces. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  add  a  description  for  an  interface: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  for  which  you  are  adding  a  description,  and  enter 
interface  configuration  mode. 

description  string 

Add  a  description  (up  to  240  characters)  for  an  interface. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id  description 

or 

show  running-config 

Verify  your  entry. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 

Step  3 
Step  4 
Step  5 


Step  6 


Use  the  no  description  interface  configuration  command  to  delete  the  description. 

This  example  shows  how  to  add  a  description  on  a  port  and  how  to  verify  the  description: 

Switch*  config  terminal 

Enter  configuration  commands,   one  per  line.     End  with  CNTL/Z. 

Switch (config) #  interface  gigabitethernetO/2 

Switch (config-if ) #  description  Connects  to  Marketing 

Switch (config-if ) #  end 

Switch*  show  interfaces  gigabitethernetO/2  description 

Interface  Status  Protocol  Description 

Gi0/2       admin  down  down  Connects  to  Marketing 


Configuring  the  System  MTU 

The  default  maximum  transmission  unit  (MTU)  size  for  frames  received  and  transmitted  on  all  interfaces 
on  the  switch  is  1500  bytes.  You  can  increase  the  MTU  size  for  all  interfaces  operating  at  10  or  100  Mb/s 
by  using  the  system  mtu  global  configuration  command.  You  can  increase  the  MTU  size  to  support 
jumbo  frames  on  all  Gigabit  Ethernet  interfaces  by  using  the  system  mtu  jumbo  global  configuration 
command. 
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Note 


Gigabit  Ethernet  ports  are  not  affected  by  the  system  mtu  command;  10/100  ports  are  not  affected  by 
the  system  jumbo  mtu  command.  If  you  do  not  configure  the  system  mtu  jumbo  command,  the  setting 
of  the  system  mtu  command  applies  to  all  Gigabit  Ethernet  interfaces. 

You  cannot  set  the  MTU  size  for  an  individual  interface;  you  set  it  for  all  10/100  or  all  Gigabit  Ethernet 
interfaces  on  the  switch.  When  you  change  the  system  or  jumbo  MTU  size,  you  must  reset  the  switch 
before  the  new  configuration  takes  effect. 

Frames  sizes  that  can  be  received  by  the  switch  CPU  are  limited  to  1998  bytes,  no  matter  what  value  was 
entered  with  the  system  mtu  or  system  mtu  jumbo  commands.  Although  frames  that  are  forwarded  are 
typically  not  received  by  the  CPU,  in  some  cases  packets  are  sent  to  the  CPU,  such  as  traffic  sent  to 
control  traffic,  SNMP,  or  Telnet. 


If  Gigabit  Ethernet  interfaces  are  configured  to  accept  frames  greater  than  the  10/100  interfaces,  jumbo 
frames  received  on  a  Gigabit  Ethernet  interface  and  sent  on  a  10/100  interface  are  dropped. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  change  MTU  size  for  all  10/100  or  Gigabit 
Ethernet  interfaces: 


Step  1 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

system  mtu  bytes 

(Optional)  Change  the  MTU  size  for  all  interfaces  on 
the  switch  that  are  operating  at  10  or  100  Mb/s.  The 
range  is  1500  to  1998  bytes;  the  default  is  1500  bytes. 

system  mtu  jumbo  bytes 

(Optional)  Change  the  MTU  size  for  all  Gigabit 
Ethernet  interfaces  on  the  switch.  The  range  is  1500  to 
9000  bytes;  the  default  is  1500  bytes. 

end 

Return  to  privileged  EXEC  mode. 

copy  running-config  startup-config 

Save  your  entries  in  the  configuration  file. 

reload 

Reload  the  operating  system. 

If  you  enter  a  value  that  is  outside  the  allowed  range  for  the  specific  type  of  interface,  the  value  is  not 
accepted. 

Once  the  switch  reloads,  you  can  verify  your  settings  by  entering  the  show  system  mtu  privileged  EXEC 
command. 

This  example  shows  how  to  set  the  maximum  packet  size  for  a  Gigabit  Ethernet  port  to  1800  bytes: 

Switch (config) #  system  jumbo  mtu  1800 

Switch (config) #  exit 
Switch*  reload 


This  example  shows  the  response  when  you  try  to  set  Gigabit  Ethernet  interfaces  to  an  out-of-range 
number: 

Switch (config) #  system  mtu  jumbo  25000 

%  Invalid  input  detected  at   IAI  marker. 
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Monitoring  and  Maintaining  the  Interfaces 

These  sections  contain  interface  monitoring  and  maintenance  information: 

•  Monitoring  Interface  Status,  page  7-16 

•  Clearing  and  Resetting  Interfaces  and  Counters,  page  7-17 

•  Shutting  Down  and  Restarting  the  Interface,  page  7-17 

Monitoring  Interface  Status 

Commands  entered  at  the  privileged  EXEC  prompt  display  information  about  the  interface,  including 
the  versions  of  the  software  and  the  hardware,  the  configuration,  and  statistics  about  the  interfaces. 
Table  7-3  lists  some  of  these  interface  monitoring  commands.  (You  can  display  the  full  list  of  show 
commands  by  using  the  show  ?  command  at  the  privileged  EXEC  prompt.)  These  commands  are  fully 
described  in  the  Cisco  IOS  Interface  Command  Reference,  Release  12.2. 


Table  7-3  Show  Commands  for  Interfaces 


Command 

Purpose 

show  interfaces  [interface-id] 

Display  the  status  and  configuration  of  all  interfaces  or  a  specific 
interface. 

show  interfaces  interface- id  status  [err-disabled] 

Display  interface  status  or  a  list  of  interfaces  in  an  error-disabled  state. 

show  interfaces  [interface-id]  switchport 

Display  administrative  and  operational  status  of  switching  ports. 

show  interfaces  [interface-id]  description 

Display  the  description  configured  on  an  interface  or  all  interfaces  and 
the  interface  status. 

show  ip  interface  [interface-id] 

Display  the  usability  status  of  all  interfaces  configured  for  IP  routing 
or  the  specified  interface. 

show  interface  [interface-id]  stats 

Display  the  input  and  output  packets  by  the  switching  path  for  the 
interface. 

show  interfaces  transceiver  properties 

(Optional)  Display  speed  and  duplex  settings  on  the  interface. 

show  interfaces  [interface-id]  [{transceiver 
properties  1  detail}]  module  number] 

Display  physical  and  operational  status  about  an  SFP  module. 

show  running-config  interface  [interface-id] 

Display  the  running  configuration  in  RAM  for  the  interface. 

show  version 

Display  the  hardware  configuration,  software  version,  the  names  and 
sources  of  configuration  files,  and  the  bootup  images. 

show  controllers  ethernet-controller  interface-id 

phy 

Display  the  operational  state  of  the  auto-MDIX  feature  on  the 
interface. 
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Clearing  and  Resetting  Interfaces  and  Counters 

Table  7-4  lists  the  privileged  EXEC  mode  clear  commands  that  you  can  use  to  clear  counters  and  reset 
interfaces. 


Table  7-4  Clear  Commands  for  Interfaces 


Command 

Purpose 

clear  counters  [interface-id] 

Clear  interface  counters. 

clear  interface  interface-id 

Reset  the  hardware  logic  on  an  interface. 

clear  line  [number  1  console  0  1  vty  number] 

Reset  the  hardware  logic  on  an  asynchronous  serial  line. 

To  clear  the  interface  counters  shown  by  the  show  interfaces  privileged  EXEC  command,  use  the  clear 
counters  privileged  EXEC  command.  The  clear  counters  command  clears  all  current  interface  counters 
from  the  interface  unless  you  specify  optional  arguments  that  clear  only  a  specific  interface  type  from  a 
specific  interface  number. 

X   

Note      The  clear  counters  privileged  EXEC  command  does  not  clear  counters  retrieved  by  using  Simple 

Network  Management  Protocol  (SNMP),  but  only  those  seen  with  the  show  interface  privileged  EXEC 
command. 


Shutting  Down  and  Restarting  the  Interface 

Shutting  down  an  interface  disables  all  functions  on  the  specified  interface  and  marks  the  interface  as 
unavailable  on  all  monitoring  command  displays.  This  information  is  communicated  to  other  network 
servers  through  all  dynamic  routing  protocols.  The  interface  is  not  mentioned  in  any  routing  updates. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  shut  down  an  interface: 


Step  2 

Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  {vlan  vlan-id}  1  { {fastethernet  1  gigabitethernet} 

interface-id]  1  {port-channel  port-channel-number} 

Select  the  interface  to  be  configured. 

shutdown 

Shut  down  an  interface. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entry. 

Use  the  no  shutdown  interface  configuration  command  to  restart  the  interface. 

To  verify  that  an  interface  is  disabled,  enter  the  show  interfaces  privileged  EXEC  command.  A  disabled 
interface  is  shown  as  administratively  down  in  the  display. 
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Configuring  Smartports  Macros 


This  chapter  describes  how  to  configure  and  apply  Smartports  macros  on  the  switch. 


Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

This  chapter  consists  of  these  sections: 

•  Understanding  Smartports  Macros,  page  8-1 

•  Configuring  Smartports  Macros,  page  8-2 

•  Displaying  Smartports  Macros,  page  8-8 

Understanding  Smartports  Macros 

Smartports  macros  provide  a  convenient  way  to  save  and  share  common  configurations.  You  can  use 
Smartports  macros  to  enable  features  and  settings  based  on  the  location  of  a  switch  in  the  network  and 
for  mass  configuration  deployments  across  the  network. 

Each  Smartports  macro  is  a  set  of  command-line  interface  (CLI)  commands  that  you  define.  Smartports 
macros  do  not  contain  new  CLI  commands;  they  are  simply  a  group  of  existing  CLI  commands. 

When  you  apply  a  Smartports  macro  on  an  interface,  the  CLI  commands  within  the  macro  are  configured 
on  the  interface.  When  the  macro  is  applied  to  an  interface,  the  existing  interface  configurations  are  not 
lost.  The  new  commands  are  added  to  the  interface  and  are  saved  in  the  running  configuration  file. 

There  are  Cisco-default  Smartports  macros  embedded  in  the  switch  software  (see  Table  8-1).  You  can 
display  these  macros  and  the  commands  they  contain  by  using  the  show  parser  macro  user  EXEC 
command. 


Table  8-1  Cisco-Default  Smartports  Macros 


Macro  Name1 

Description 

cisco-global 

Use  this  global  configuration  macro  to  enable  rapid  PVST+,  loop  guard,  and  dynamic 
port  error  recovery  for  link  state  failures. 

cisco-desktop 

Use  this  interface  configuration  macro  for  increased  network  security  and  reliability 
when  connecting  a  desktop  device,  such  as  a  PC,  to  a  switch  port. 
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Table  8-1  Cisco-Default  Smartports  Macros  (continued) 


Macro  Name1 

Description 

cisco-phone 

Use  this  interface  configuration  macro  when  connecting  a  desktop  device  such  as  a 
PC  with  a  Cisco  IP  Phone  to  a  switch  port.  This  macro  is  an  extension  of  the 
cisco-desktop  macro  and  provides  the  same  security  and  resiliency  features,  but  with 
the  addition  of  dedicated  voice  VLANs  to  ensure  proper  treatment  of  delay-sensitive 
voice  traffic. 

cisco-switch 

Use  this  interface  configuration  macro  when  connecting  an  access  switch  and  a 
distribution  switch  or  between  access  switches  connected  using  small  form-factor 
pluggable  (SFP)  modules. 

cisco-router 

Use  this  interface  configuration  macro  when  connecting  the  switch  and  a  WAN 
router. 

cisco- wireless 

Use  this  interface  configuration  macro  when  connecting  the  switch  and  a  wireless 
access  point. 

1,    Cisco-default  Smartports  macros  vary  depending  on  the  software  version  running  on  your  switch. 


Cisco  also  provides  a  collection  of  pretested,  Cisco-recommended  baseline  configuration  templates  for 
Catalyst  switches.  The  online  reference  guide  templates  provide  the  CLI  commands  that  you  can  use  to 
create  Smartports  macros  based  on  the  usage  of  the  port.  You  can  use  the  configuration  templates  to 
create  Smartports  macros  to  build  and  deploy  Cisco-recommended  network  designs  and  configurations. 
For  more  information  about  Cisco-recommended  configuration  templates,  see  this  Smartports  website: 

http://www.cisco.com/go/smartports 

Configuring  Smartports  Macros 

You  can  create  a  new  Smartports  macro  or  use  an  existing  macro  as  a  template  to  create  a  new  macro 
that  is  specific  to  your  application.  After  you  create  the  macro,  you  can  apply  it  globally  to  a  switch  or 
to  a  switch  interface  or  range  of  interfaces. 

These  sections  contain  this  configuration  information: 

•  Default  Smartports  Macro  Configuration,  page  8-2 

•  Smartports  Macro  Configuration  Guidelines,  page  8-3 

•  Creating  Smartports  Macros,  page  8-4 

•  Applying  Smartports  Macros,  page  8-5 

•  Applying  Cisco-Default  Smartports  Macros,  page  8-6 

Default  Smartports  Macro  Configuration 

There  are  no  Smartports  macros  enabled. 
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Smartports  Macro  Configuration  Guidelines 

Follow  these  guidelines  when  configuring  macros  on  your  switch: 

•  When  creating  a  macro,  do  not  use  the  exit  or  end  commands  or  change  the  command  mode  by  using 
interface  interface-id.  This  could  cause  commands  that  follow  exit,  end,  or  interface  interface-id 
to  execute  in  a  different  command  mode. 

•  When  creating  a  macro,  all  CLI  commands  should  be  in  the  same  configuration  mode. 

•  When  creating  a  macro  that  requires  the  assignment  of  unique  values,  use  the  parameter  value 
keywords  to  designate  values  specific  to  the  interface.  Keyword  matching  is  case  sensitive.  All 
matching  occurrences  of  the  keyword  are  replaced  with  the  corresponding  value.  Any  full  match  of 
a  keyword,  even  if  it  is  part  of  a  larger  string,  is  considered  a  match  and  is  replaced  by  the 
corresponding  value. 

•  Macro  names  are  case  sensitive.  For  example,  the  commands  macro  name  Sample-Macro  and 
macro  name  sample-macro  will  result  in  two  separate  macros. 

•  Some  macros  might  contain  keywords  that  require  a  parameter  value.  You  can  use  the  macro  global 
apply  macro-name  ?  global  configuration  command  or  the  macro  apply  macro-name  ?  interface 
configuration  command  to  display  a  list  of  any  required  values  in  the  macro.  If  you  apply  a  macro 
without  entering  the  keyword  values,  the  commands  are  invalid  and  are  not  applied. 

•  When  a  macro  is  applied  globally  to  a  switch  or  to  a  switch  interface,  all  existing  configuration  on 
the  interface  is  retained.  This  is  helpful  when  applying  an  incremental  configuration. 

•  If  you  modify  a  macro  definition  by  adding  or  deleting  commands,  the  changes  are  not  reflected  on 
the  interface  where  the  original  macro  was  applied.  You  need  to  reapply  the  updated  macro  on  the 
interface  to  apply  the  new  or  changed  commands. 

•  You  can  use  the  macro  global  trace  macro-name  global  configuration  command  or  the  macro  trace 

macro-name  interface  configuration  command  to  apply  and  debug  a  macro  to  find  any  syntax  or 
configuration  errors.  If  a  command  fails  because  of  a  syntax  error  or  a  configuration  error,  the  macro 
continues  to  apply  the  remaining  commands. 

•  Some  CLI  commands  are  specific  to  certain  interface  types.  If  a  macro  is  applied  to  an  interface  that 
does  not  accept  the  configuration,  the  macro  will  fail  the  syntax  check  or  the  configuration  check, 
and  the  switch  will  return  an  error  message. 

•  Applying  a  macro  to  an  interface  range  is  the  same  as  applying  a  macro  to  a  single  interface.  When 
you  use  an  interface  range,  the  macro  is  applied  sequentially  to  each  interface  within  the  range.  If  a 
macro  command  fails  on  one  interface,  it  is  still  applied  to  the  remaining  interfaces. 

•  When  you  apply  a  macro  to  a  switch  or  a  switch  interface,  the  macro  name  is  automatically  added 
to  the  switch  or  interface.  You  can  display  the  applied  commands  and  macro  names  by  using  the 
show  running-config  user  EXEC  command. 

There  are  Cisco-default  Smartports  macros  embedded  in  the  switch  software  (see  Table  8-1).  You  can 
display  these  macros  and  the  commands  they  contain  by  using  the  show  parser  macro  user  EXEC 
command. 
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Follow  these  guidelines  when  you  apply  a  Cisco-default  Smartports  macro  on  an  interface: 

•  Display  all  macros  on  the  switch  by  using  the  show  parser  macro  user  EXEC  command.  Display 
the  contents  of  a  specific  macro  by  using  the  show  parser  macro  macro-name  user  EXEC 
command. 

•  Keywords  that  begin  with  $  mean  that  a  unique  parameter  value  is  required.  Append  the 
Cisco-default  macro  with  the  required  values  by  using  the  parameter  value  keywords. 

The  Cisco-default  macros  use  the  $  character  to  help  identify  required  keywords.  There  is  no 
restriction  on  using  the  $  character  to  define  keywords  when  you  create  a  macro. 


Creating  Smartports  Macros 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  a  Smartports  macro: 


Command 


Purpose 


Step  1      configure  terminal 

Step  2     macro  name  macro-name 


Enter  global  configuration  mode. 

Create  a  macro  definition,  and  enter  a  macro  name.  A  macro  definition 
can  contain  up  to  3000  characters. 

Enter  the  macro  commands  with  one  command  per  line.  Use  the  @ 
character  to  end  the  macro.  Use  the  #  character  at  the  beginning  of  a  line 
to  enter  comment  text  within  the  macro. 

(Optional)  You  can  define  keywords  within  a  macro  by  using  a  help 
string  to  specify  the  keywords.  Enter  #  macro  keywords  word  to  define 
the  keywords  that  are  available  for  use  with  the  macro.  Separated  by  a 
space,  you  can  enter  up  to  three  help  string  keywords  in  a  macro. 

Macro  names  are  case  sensitive.  For  example,  the  commands  macro 
name  Sample-Macro  and  macro  name  sample-macro  will  result  in 
two  separate  macros. 

We  recommend  that  you  do  not  use  the  exit  or  end  commands  or  change 
the  command  mode  by  using  interface  interface-id  in  a  macro.  This 
could  cause  any  commands  following  exit,  end,  or  interface 
interface-id  to  execute  in  a  different  command  mode.  For  best  results, 
all  commands  in  a  macro  should  be  in  the  same  configuration  mode. 


Step  3  end 

Step  4     show  parser  macro  name  macro-name 


Return  to  privileged  EXEC  mode. 
Verify  that  the  macro  was  created. 


The  no  form  of  the  macro  name  global  configuration  command  only  deletes  the  macro  definition.  It 
does  not  affect  the  configuration  of  those  interfaces  on  which  the  macro  is  already  applied. 

This  example  shows  how  to  create  a  macro  that  defines  the  switchport  access  VLAN  and  the  number  of 
secure  MAC  addresses  and  also  includes  two  help  string  keywords  by  using  #  macro  keywords: 

Switch (config) #  macro  name  test 

switchport  access  vlan  $VLANID 
switchport  port-security  maximum  $MAX 
fmacro  keywords  $VLANID  $MAX 
@ 
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Applying  Smartports  Macros 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  apply  a  Smartports  macro: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

macro  global  {apply  1  trace} 
macro-name  [parameter  {value}] 
rnarameter  [valued  [parameter 

1  If  Ml  UlllVIVl       1    V  LI  L  LI  l_     1    1     1  pill  <*  111  V-  \-  V-  ■ 

{ value}] 

Apply  each  individual  command  defined  in  the  macro  to  the  switch  by 
entering  macro  global  apply  macro-name.  Specify  macro  global  trace 

macro-name  to  apply  and  debug  a  macro  to  find  any  syntax  or 
configuration  errors. 

fOnfinnal^  ^nppifv  nnimip  narflmptpr  valnps  lHal  arp  snppifip  to  thp 

l  V/UllUllul  1   JULHl  V    LI  1 1 1  LI  LI  L.    L>  til  til  1 1  ^  I     1     VlLlLlL^J    HULL    £1  1  L.  L\J 

switch.  You  can  enter  up  to  three  keyword-value  pairs.  Parameter 
keyword  matching  is  case  sensitive.  All  matching  occurrences  of  the 
keyword  are  replaced  with  the  corresponding  value. 

Some  macros  might  contain  keywords  that  require  a  parameter  value. 
You  can  use  the  macro  global  apply  macro-name  ?  command  to 
display  a  list  of  any  required  values  in  the  macro.  If  you  apply  a  macro 
without  entering  the  keyword  values,  the  commands  are  invalid  and  are 
not  applied. 

macro  global  description  text 

(Optional)  Enter  a  description  about  the  macro  that  is  applied  to  the 
switch. 

interface  interface-id 

(Optional)  Enter  interface  configuration  mode,  and  specify  the  interface 
on  which  to  apply  the  macro. 

default  interface  interface-id 

(Optional)  Clear  all  configuration  from  the  specified  interface. 

macro  {apply  1  trace}  macro-name 
rnarameter  [value}]  [parameter 

[  1'  tl  1   41  II I  V  IV  1       1    l/U  IMC-    1    J     [  Mill  (1111^.  Ll^l 

{value}]  [parameter  {value}] 

Apply  each  individual  command  defined  in  the  macro  to  the  interface  by 
entering  macro  atliilv  macro-name  Snecifv  macro  trace  macro-name 

uiiiwiiiit.   ■■■     v.  ■  yj  tl  tj  i/i  j    /  /  iu  l  /  1/    /  till  r  i<t>  *                        y    iiiuvi  v   n         V*  /  /  £  Li  l  /  iy    1 1  Li  / 1 1  c, 

to  apply  and  debug  a  macro  to  find  any  syntax  or  configuration  errors. 

fOntinnal^  ^Inppifv  nnimip  nnrnmptpr  vhIiipq  tViat  arp  cnpnifip  to  tfip 

\\J ^JLl\Jllai J  OJJCUll^    UlllL^LlC-  JJdl  dlllCLCl    VtHLlCS   lllcll  alC                           LU  LUC 

interface.  You  can  enter  up  to  three  keyword-value  pairs.  Parameter 
keyword  matching  is  case  sensitive.  All  matching  occurrences  of  the 
keyword  are  replaced  with  the  corresponding  value. 

Some  macros  might  contain  keywords  that  require  a  parameter  value. 
You  can  use  the  macro  apply  macro-name  ?  command  to  display  a  list 
of  any  required  values  in  the  macro.  If  you  apply  a  macro  without 
entering  the  keyword  values,  the  commands  are  invalid  and  are  not 
applied. 

macro  description  text 

(Optional)  Enter  a  description  about  the  macro  that  is  applied  to  the 
interface. 

end 

Return  to  privileged  EXEC  mode. 

show  parser  macro  description 
[interface  interface-id] 

Verify  that  the  macro  is  applied  to  the  interface. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  2 


Step  4 

Step  5 
Step  6 


You  can  delete  a  global  macro-applied  configuration  on  a  switch  only  by  entering  the  no  version  of  each 
command  that  is  in  the  macro.  You  can  delete  a  macro-applied  configuration  on  an  interface  by  entering 
the  default  interface  interface-id  interface  configuration  command. 
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This  example  shows  how  to  apply  the  user-created  macro  called  snmp,  to  set  the  hostname  address  to 
test-server,  and  to  set  the  IP  precedence  value  to  7: 

Switch (config) #  macro  global  apply  snmp  ADDRESS  test-server  VALUE  7 

This  example  shows  how  to  debug  the  user-created  macro  called  snmp  by  using  the  macro  global  trace 
global  configuration  command  to  find  any  syntax  or  configuration  errors  in  the  macro  when  it  is  applied 
to  the  switch. 

Switch (config) #  macro  global  trace  snmp  VALUE  7 

Applying  command ..." snmp-server  enable  traps  port-security' 
Applying  command ...  1 snmp-server  enable  traps  linkup' 
Applying  command ...  1 snmp-server  enable  traps  linkdown' 
Applying  command ...  1 snmp-server  host' 
%Error  Unknown  error. 

Applying  command ..." snmp-server  ip  precedence  7' 

This  example  shows  how  to  apply  the  user-created  macro  called  desktop-config  and  to  verify  the 
configuration. 

Switch (config) #  interface  gigabitethernetO/2 
Switch (config-if) #  macro  apply  desktop-config 

Switch (config-if) #  end 

Switch#  show  parser  macro  description 

Interface        Macro  Description 

GiO/2  desktop-config 

This  example  shows  how  to  apply  the  user-created  macro  called  desktop-config  and  to  replace  all 
occurrences  of  VLAN  1  with  VLAN  25: 

Switch (config-if ) #  macro  apply  desktop-config  vlan  25 

Applying  Cisco-Default  Smartports  Macros 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  apply  a  Smartports  macro: 


Step  2 
Step  3 
Step  4 


Command 

Purpose 

show  parser  macro 

Display  the  Cisco-default  Smartports  macros  embedded  in  the  switch 
software. 

show  parser  macro  macro-name 

Display  the  specific  macro  that  you  want  to  apply. 

configure  terminal 

Enter  global  configuration  mode. 

macro  global  {apply  I  trace} 
macro-name  [parameter  {value}] 
[parameter  {value}}  [parameter 
{ value}} 

Append  the  Cisco-default  macro  with  the  required  values  by  using  the 
parameter  value  keywords  and  apply  the  macro  to  the  switch. 
Keywords  that  begin  with  $  mean  that  a  unique  parameter  value  is 
required. 

You  can  use  the  macro  global  apply  macro-name  ?  command  to 
display  a  list  of  any  required  values  in  the  macro.  If  you  apply  a  macro 
without  entering  the  keyword  values,  the  commands  are  invalid  and  are 
not  applied. 

interface  interface-id 

(Optional)  Enter  interface  configuration  mode,  and  specify  the  interface 
on  which  to  apply  the  macro. 

default  interface  interface-id 

(Optional)  Clear  all  configuration  from  the  specified  interface. 
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Step  7 


Step  8 
Step  9 


Command 

Purpose 

macro  {apply  1  trace}  macro-name 
[parameter  {value}]  [parameter 
{value}]  [parameter  {value}] 

Append  the  Cisco-default  macro  with  the  required  values  by  using  the 
parameter  value  keywords,  and  apply  the  macro  to  the  interface. 
Keywords  that  begin  with  $  mean  that  a  unique  parameter  value  is 
required. 

You  can  use  the  macro  apply  macro-name  ?  command  to  display  a  list 
of  any  required  values  in  the  macro.  If  you  apply  a  macro  without 
entering  the  keyword  values,  the  commands  are  invalid  and  are  not 
applied. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config  interface 

interface-id 

Verify  that  the  macro  is  applied  to  an  interface. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

You  can  delete  a  global  macro-applied  configuration  on  a  switch  only  by  entering  the  no  version  of  each 
command  that  is  in  the  macro.  You  can  delete  a  macro-applied  configuration  on  an  interface  by  entering 
the  default  interface  interface-id  interface  configuration  command. 

This  example  shows  how  to  display  the  cisco-desktop  macro,  how  to  apply  the  macro,  and  to  set  the 
access  VLAN  ID  to  25  on  an  interface: 

Switch*  show  parser  macro  cisco-desktop 

Macro  name    :  cisco-desktop 
Macro  type    :  default 

#  Basic  interface  -  Enable  data  VLAN  only 

#  Recommended  value  for  access  vlan   (AVID)    should  not  be  1 
switchport  access  vlan  $AVID 

switchport  mode  access 

#  Enable  port  security  limiting  port  to  a  single 

#  MAC  address  --  that  of  desktop 
switchport  port-security 
switchport  port-security  maximum  1 

#  Ensure  port-security  age  is  greater  than  one  minute 

#  and  use  inactivity  timer 

switchport  port-security  violation  restrict 
switchport  port-security  aging  time  2 
switchport  port-security  aging  type  inactivity 


#  Configure  port  as  an  edge  network  port 
spanning-tree  portfast 
spanning- tree  bpduguard  enable 


Switch* 

Switch*  configure  terminal 

Switch (conf ig) #  gigabitethernetO/4 

Switch (config-if) #  macro  apply  cisco-desktop  $AVID  25 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  j 


8-7 


H    Displaying  Smartports  Macros 


Chapter  8     Configuring  Smartports  Macros  | 


Displaying  Smartports  Macros 


To  display  the  Smartports  macros,  use  one  or  more  of  the  privileged  EXEC  commands  in  Table  8-2. 
Table  8-2  Commands  for  Displaying  Smartports  Macros 


Command 

Purpose 

show  parser  macro 

Displays  all  configured  macros. 

show  parser  macro  name  macro-name 

Displays  a  specific  macro. 

show  parser  macro  brief 

Displays  the  configured  macro  names. 

show  parser  macro  description  [interface 

Displays  the  macro  description  for  all  interfaces  or  for  a  specified 

interface-id] 

interface. 
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Configuring  VLANs 


This  chapter  describes  how  to  configure  normal-range  VLANs  (VLAN  IDs  1  to  1005)  and 
extended-range  VLANs  (VLAN  IDs  1006  to  4094)  on  the  switch.  It  includes  information  about  VLAN 
membership  modes,  VLAN  configuration  modes,  VLAN  trunks,  and  dynamic  VLAN  assignment  from 
a  VLAN  Membership  Policy  Server  (VMPS). 

%   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

The  chapter  consists  of  these  sections: 

•  Understanding  VLANs,  page  9-1 

•  Configuring  Normal-Range  VLANs,  page  9-4 

•  Configuring  Extended-Range  VLANs,  page  9-11 

•  Displaying  VLANs,  page  9-14 

•  Configuring  VLAN  Trunks,  page  9-14 

•  Configuring  VMPS,  page  9-25 

Understanding  VLANs 

A  VLAN  is  a  switched  network  that  is  logically  segmented  by  function,  project  team,  or  application, 
without  regard  to  the  physical  locations  of  the  users.  VLANs  have  the  same  attributes  as  physical  LANs, 
but  you  can  group  end  stations  even  if  they  are  not  physically  located  on  the  same  LAN  segment.  Any 
switch  port  can  belong  to  a  VLAN,  and  unicast,  broadcast,  and  multicast  packets  are  forwarded  and 
flooded  only  to  end  stations  in  the  VLAN.  Each  VLAN  is  considered  a  logical  network,  and  packets 
destined  for  stations  that  do  not  belong  to  the  VLAN  must  be  forwarded  through  a  router  or  a  switch 
supporting  fallback  bridging,  as  shown  in  Figure  9-1.  Because  a  VLAN  is  considered  a  separate  logical 
network,  it  contains  its  own  bridge  Management  Information  Base  (MIB)  information  and  can  support 
its  own  implementation  of  spanning  tree.  See  Chapter  12,  "Configuring  STP." 

%   

Note      Before  you  create  VLANs,  you  must  decide  whether  to  use  VLAN  Trunking  Protocol  (VTP)  to  maintain 
global  VLAN  configuration  for  your  network.  For  more  information  on  VTP,  see  Chapter  10, 
"Configuring  VTP." 
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Figure  9-1  shows  an  example  of  VLANs  segmented  into  logically  defined  networks. 
Figure  9-1  VLANs  as  Logically  Defined  Networks 


Engineering  Marketing  Accounting 

VLAN  VLAN  VLAN 


VLANs  are  often  associated  with  IP  subnetworks.  For  example,  all  the  end  stations  in  a  particular  IP 
subnet  belong  to  the  same  VLAN.  Interface  VLAN  membership  on  the  switch  is  assigned  manually  on 
an  interface-by-interface  basis.  When  you  assign  switch  interfaces  to  VLANs  by  using  this  method,  it  is 
known  as  interface-based,  or  static,  VLAN  membership. 

Traffic  between  VLANs  must  be  routed  or  fallback  bridged. 

Supported  VLANs 

The  switch  supports  VLANs  in  VTP  client,  server,  and  transparent  modes.  VLANs  are  identified  by  a 
number  from  1  to  4094.  VLAN  IDs  1002  through  1005  are  reserved  for  Token  Ring  and  FDDI  VLANs. 
VTP  only  learns  normal-range  VLANs,  with  VLAN  IDs  1  to  1005;  VLAN  IDs  greater  than  1005  are 
extended-range  VLANs  and  are  not  stored  in  the  VLAN  database.  The  switch  must  be  in  VTP 
transparent  mode  when  you  create  VLAN  IDs  from  1006  to  4094. 

Although  the  switch  supports  a  total  of  1005  (normal  range  and  extended  range)  VLANs,  the  number  of 
configured  features  affects  the  use  of  the  switch  hardware. 

The  switch  supports  per- VLAN  spanning-tree  plus  (PVST+)  or  rapid  PVST+  with  a  maximum  of  128 
spanning-tree  instances.  One  spanning-tree  instance  is  allowed  per  VLAN.  See  the  "Normal-Range 
VLAN  Configuration  Guidelines"  section  on  page  9-5  for  more  information  about  the  number  of 
spanning-tree  instances  and  the  number  of  VLANs.  The  switch  supports  both  Inter-Switch  Link  (ISL) 
and  IEEE  802. 1Q  trunking  methods  for  sending  VLAN  traffic  over  Ethernet  ports. 


9-2 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  9    Configuring  VLANs 


Understanding  VLANs  I 


VLAN  Port  Membership  Modes 

You  configure  a  port  to  belong  to  a  VLAN  by  assigning  a  membership  mode  that  specifies  the  kind  of 
traffic  the  port  carries  and  the  number  of  VLANs  to  which  it  can  belong.  Table  9-1  lists  the  membership 
modes  and  membership  and  VTP  characteristics. 


Table  9-1  Port  Membership  Modes  and  Characteristics 


Membership  Mode 

VLAN  Membership  Characteristics 

VTP  Characteristics 

Static- access 

A  static-access  port  can  belong  to  one  VLAN  and  is 
manually  assigned  to  that  VLAN. 

For  more  information,  see  the  'Assigning  Static-Access 
Ports  to  a  VLAN"  section  on  page  9-10. 

VTP  is  not  required.  If  you  do  not  want 
VTP  to  globally  propagate  information,  set 
the  VTP  mode  to  transparent.  To 
participate  in  VTP,  there  must  be  at  least 
one  trunk  port  on  the  switch  connected  to  a 
trunk  port  of  a  second  switch. 

Trunk  (IEEE 
802.1Q) 

A  trunk  port  is  a  member  of  all  VLANs  by  default, 
including  extended-range  VLANs,  but  membership  can  be 
limited  by  configuring  the  allowed-VLAN  list.  You  can 
also  modify  the  pruning-eligible  list  to  block  flooded 
traffic  to  VLANs  on  trunk  ports  that  are  included  in  the 
list. 

For  information  about  configuring  trunk  ports,  see  the 
"Configuring  an  Ethernet  Interface  as  a  Trunk  Port" 
section  on  page  9-17. 

VTP  is  recommended  but  not  required. 
VTP  maintains  VLAN  configuration 
consistency  by  managing  the  addition, 
deletion,  and  renaming  of  VLANs  on  a 
network-wide  basis.  VTP  exchanges 
VLAN  configuration  messages  with  other 
switches  over  trunk  links. 

Dynamic  access 

A  dynamic-access  port  can  belong  to  one  VLAN  (VLAN 
ID  1  to  4094)  and  is  dynamically  assigned  by  a  VMPS. 
The  VMPS  can  be  a  Catalyst  5000  or  Catalyst  6500  series 
switch,  for  example,  but  never  a  CGESM  switch,  which  is 
a  VMPS  client. 

You  can  have  dynamic-access  ports  and  trunk  ports  on  the 
same  switch,  but  you  must  connect  the  dynamic-access 
port  to  an  end  station  or  hub  and  not  to  another  switch. 

For  configuration  information,  see  the  "Configuring 
Dynamic-Access  Ports  on  VMPS  Clients"  section  on 
page  9-28. 

VTP  is  required. 

Configure  the  VMPS  and  the  client  with 
the  same  VTP  domain  name. 

To  participate  in  VTP,  at  least  one  trunk 
port  on  the  switch  must  be  connected  to  a 
trunk  port  of  a  second  switch. 

Voice  VLAN 

A  voice  VLAN  port  is  an  access  port  attached  to  a  Cisco 
IP  Phone,  configured  to  use  one  VLAN  for  voice  traffic 
and  another  VLAN  for  data  traffic  from  a  device  attached 
to  the  phone. 

For  more  information  about  voice  VLAN  ports,  see 
Chapter  11,  "Configuring  Voice  VLAN." 

VTP  is  not  required;  it  has  no  affect  on  a 
voice  VLAN. 

For  more  detailed  definitions  of  access  and  trunk  modes  and  their  functions,  see  Table  9-4  on  page  9-16. 

When  a  port  belongs  to  a  VLAN,  the  switch  learns  and  manages  the  addresses  associated  with  the  port 
on  a  per- VLAN  basis.  For  more  information,  see  the  "Managing  the  MAC  Address  Table"  section  on 
page  4-19. 
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Configuring  Normal-Range  VLANs 

Normal-range  VLANs  are  VLANs  with  VLAN  IDs  1  to  1005.  If  the  switch  is  in  VTP  server  or 
VTP  transparent  mode,  you  can  add,  modify  or  remove  configurations  for  VLANs  2  to  1001  in  the 
VLAN  database.  (VLAN  IDs  1  and  1002  to  1005  are  automatically  created  and  cannot  be  removed.) 

X   

Note      When  the  switch  is  in  VTP  transparent  mode,  you  can  also  create  extended-range  VLANs  (VLANs  with 
IDs  from  1006  to  4094),  but  these  VLANs  are  not  saved  in  the  VLAN  database.  See  the  "Configuring 
Extended-Range  VLANs"  section  on  page  9-11. 


Configurations  for  VLAN  IDs  1  to  1005  are  written  to  the  file  vlan.dat  (VLAN  database),  and  you  can 
display  them  by  entering  the  show  vlan  privileged  EXEC  command.  The  vlan.dat  file  is  stored  in  flash 
memory. 

A   

Caution      You  can  cause  inconsistency  in  the  VLAN  database  if  you  attempt  to  manually  delete  the  vlan.dat  file. 

If  you  want  to  modify  the  VLAN  configuration,  use  the  commands  described  in  these  sections  and  in  the 
command  reference  for  this  release.  To  change  the  VTP  configuration,  see  Chapter  10,  "Configuring 
VTP." 


You  use  the  interface  configuration  mode  to  define  the  port  membership  mode  and  to  add  and  remove 
ports  from  VLANs.  The  results  of  these  commands  are  written  to  the  running-configuration  file,  and  you 
can  display  the  file  by  entering  the  show  running-config  privileged  EXEC  command. 

You  can  set  these  parameters  when  you  create  a  new  normal-range  VLAN  or  modify  an  existing  VLAN 
in  the  VLAN  database: 

•  VLAN  ID 

•  VLAN  name 

•  VLAN  type  (Ethernet,  Fiber  Distributed  Data  Interface  [FDDI],  FDDI  network  entity  title  [NET], 
TrBRF,  or  TrCRF,  Token  Ring,  Token  Ring-Net) 

•  VLAN  state  (active  or  suspended) 

•  Maximum  transmission  unit  (MTU)  for  the  VLAN 

•  Security  Association  Identifier  (SAID) 

•  Bridge  identification  number  for  TrBRF  VLANs 

•  Ring  number  for  FDDI  and  TrCRF  VLANs 

•  Parent  VLAN  number  for  TrCRF  VLANs 

•  Spanning  Tree  Protocol  (STP)  type  for  TrCRF  VLANs 

•  VLAN  number  to  use  when  translating  from  one  VLAN  type  to  another 

N   

Note      This  section  does  not  provide  configuration  details  for  most  of  these  parameters.  For  complete 

information  on  the  commands  and  parameters  that  control  VLAN  configuration,  see  the  command 
reference  for  this  release. 
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These  sections  contain  normal-range  VLAN  configuration  information: 

•  Token  Ring  VLANs,  page  9-5 

•  Normal-Range  VLAN  Configuration  Guidelines,  page  9-5 

•  VLAN  Configuration  Mode  Options,  page  9-6 

•  Saving  VLAN  Configuration,  page  9-7 

•  Default  Ethernet  VLAN  Configuration,  page  9-7 

•  Creating  or  Modifying  an  Ethernet  VLAN,  page  9-8 

•  Deleting  a  VLAN,  page  9-10 

•  Assigning  Static-Access  Ports  to  a  VLAN,  page  9-10 

Token  Ring  VLANs 

Although  the  switch  does  not  support  Token  Ring  connections,  a  remote  device  such  as  a  Catalyst  5000 
series  switch  with  Token  Ring  connections  could  be  managed  from  one  of  the  supported  switches. 
Switches  running  VTP  Version  2  advertise  information  about  these  Token  Ring  VLANs: 

•  Token  Ring  TrBRF  VLANs 

•  Token  Ring  TrCRF  VLANs 

For  more  information  on  configuring  Token  Ring  VLANs,  see  the  Catalyst  5000  Series  Software 
Configuration  Guide. 

Normal-Range  VLAN  Configuration  Guidelines 

Follow  these  guidelines  when  creating  and  modifying  normal-range  VLANs  in  your  network: 

•  The  switch  supports  1005  VLANs  in  VTP  client,  server,  and  transparent  modes. 

•  Normal-range  VLANs  are  identified  with  a  number  between  1  and  1001.  VLAN  numbers  1002 
through  1005  are  reserved  for  Token  Ring  and  FDDI  VLANs. 

•  VLAN  configuration  for  VLANs  1  to  1005  are  always  saved  in  the  VLAN  database.  If  the  VTP 
mode  is  transparent,  VTP  and  VLAN  configuration  are  also  saved  in  the  switch  running 
configuration  file. 

•  The  switch  also  supports  VLAN  IDs  1006  through  4094  in  VTP  transparent  mode  (VTP  disabled). 
These  are  extended-range  VLANs  and  configuration  options  are  limited.  Extended-range  VLANs 
are  not  saved  in  the  VLAN  database.  See  the  "Configuring  Extended-Range  VLANs"  section  on 
page  9-11. 

•  Before  you  can  create  a  VLAN,  the  switch  must  be  in  VTP  server  mode  or  VTP  transparent  mode. 
If  the  switch  is  a  VTP  server,  you  must  define  a  VTP  domain  or  VTP  will  not  function. 

•  The  switch  does  not  support  Token  Ring  or  FDDI  media.  The  switch  does  not  forward  FDDI, 
FDDI-Net,  TrCRF,  or  TrBRF  traffic,  but  it  does  propagate  the  VLAN  configuration  through  VTP. 

•  The  switch  supports  128  spanning-tree  instances.  If  a  switch  has  more  active  VLANs  than  supported 
spanning-tree  instances,  spanning  tree  can  be  enabled  on  128  VLANs  and  is  disabled  on  the 
remaining  VLANs.  If  you  have  already  used  all  available  spanning-tree  instances  on  a  switch, 
adding  another  VLAN  anywhere  in  the  VTP  domain  creates  a  VLAN  on  that  switch  that  is  not 
running  spanning-tree.  If  you  have  the  default  allowed  list  on  the  trunk  ports  of  that  switch  (which 
is  to  allow  all  VLANs),  the  new  VLAN  is  carried  on  all  trunk  ports.  Depending  on  the  topology  of 
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the  network,  this  could  create  a  loop  in  the  new  VLAN  that  would  not  be  broken,  particularly  if  there 
are  several  adjacent  switches  that  all  have  run  out  of  spanning-tree  instances.  You  can  prevent  this 
possibility  by  setting  allowed  lists  on  the  trunk  ports  of  switches  that  have  used  up  their  allocation 
of  spanning-tree  instances. 

If  the  number  of  VLANs  on  the  switch  exceeds  the  number  of  supported  spanning-tree  instances, 
we  recommend  that  you  configure  the  IEEE  802.1s  Multiple  STP  (MSTP)  on  your  switch  to  map 
multiple  VLANs  to  a  single  spanning-tree  instance.  For  more  information  about  MSTP,  see 
Chapter  13,  "Configuring  MSTP." 

VLAN  Configuration  Mode  Options 

You  can  configure  normal-range  VLANs  (with  VLAN  IDs  1  to  1005)  by  using  these  two  configuration 
modes: 

•  VLAN  Configuration  in  config-vlan  Mode,  page  9-6 

You  access  config-vlan  mode  by  entering  the  vlan  vlan-id  global  configuration  command. 

•  VLAN  Configuration  in  VLAN  Database  Configuration  Mode,  page  9-6 

You  access  VLAN  database  configuration  mode  by  entering  the  vlan  database  privileged  EXEC 
command. 

VLAN  Configuration  in  config-vlan  Mode 

To  access  config-vlan  mode,  enter  the  vlan  global  configuration  command  with  a  VLAN  ID.  Enter  a  new 
VLAN  ID  to  create  a  VLAN,  or  enter  an  existing  VLAN  ID  to  modify  that  VLAN.  You  can  use  the 
default  VLAN  configuration  (Table  9-2)  or  enter  multiple  commands  to  configure  the  VLAN.  For  more 
information  about  commands  available  in  this  mode,  see  the  vlan  global  configuration  command 
description  in  the  command  reference  for  this  release.  When  you  have  finished  the  configuration,  you 
must  exit  config-vlan  mode  for  the  configuration  to  take  effect.  To  display  the  VLAN  configuration, 
enter  the  show  vlan  privileged  EXEC  command. 

You  must  use  this  config-vlan  mode  when  creating  extended-range  VLANs  (VLAN  IDs  greater  than 
1005).  See  the  "Configuring  Extended-Range  VLANs"  section  on  page  9-11. 

VLAN  Configuration  in  VLAN  Database  Configuration  Mode 

To  access  VLAN  database  configuration  mode,  enter  the  vlan  database  privileged  EXEC  command. 
Then  enter  the  vlan  command  with  a  new  VLAN  ID  to  create  a  VLAN,  or  enter  an  existing  VLAN  ID 
to  modify  the  VLAN.  You  can  use  the  default  VLAN  configuration  (Table  9-2)  or  enter  multiple 
commands  to  configure  the  VLAN.  For  more  information  about  keywords  available  in  this  mode,  see 
the  vlan  VLAN  database  configuration  command  description  in  the  command  reference  for  this  release. 
When  you  have  finished  the  configuration,  you  must  enter  apply  or  exit  for  the  configuration  to  take 
effect.  When  you  enter  the  exit  command,  it  applies  all  commands  and  updates  the  VLAN  database.  VTP 
messages  are  sent  to  other  switches  in  the  VTP  domain,  and  the  privileged  EXEC  mode  prompt  appears. 
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Saving  VLAN  Configuration 

The  configurations  of  VLAN  IDs  1  to  1005  are  always  saved  in  the  VLAN  database  (vlan.dat  file).  If 
the  VTP  mode  is  transparent,  they  are  also  saved  in  the  switch  running  configuration  file.  You  can  enter 
the  copy  running-config  startup-config  privileged  EXEC  command  to  save  the  configuration  in  the 
startup  configuration  file.  To  display  the  VLAN  configuration,  enter  the  show  vlan  privileged  EXEC 
command. 

When  you  save  VLAN  and  VTP  information  (including  extended-range  VLAN  configuration 
information)  in  the  startup  configuration  file  and  reboot  the  switch,  the  switch  configuration  is  selected 
as  follows: 

•  If  the  VTP  mode  is  transparent  in  the  startup  configuration,  and  the  VLAN  database  and  the  VTP 
domain  name  from  the  VLAN  database  matches  that  in  the  startup  configuration  file,  the  VLAN 
database  is  ignored  (cleared),  and  the  VTP  and  VLAN  configurations  in  the  startup  configuration 
file  are  used.  The  VLAN  database  revision  number  remains  unchanged  in  the  VLAN  database. 

•  If  the  VTP  mode  or  domain  name  in  the  startup  configuration  does  not  match  the  VLAN  database, 
the  domain  name  and  VTP  mode  and  configuration  for  the  first  1005  VLANs  use  the  VLAN 
database  information. 

•  If  VTP  mode  is  server,  the  domain  name  and  VLAN  configuration  for  the  first  1005  VLANs  use  the 
VLAN  database  information 

A   

Caution      If  the  VLAN  database  configuration  is  used  at  startup  and  the  startup  configuration  file  contains 
extended-range  VLAN  configuration,  this  information  is  lost  when  the  system  boots  up. 


Default  Ethernet  VLAN  Configuration 

Table  9-2  shows  the  default  configuration  for  Ethernet  VLANs. 

%   

Note  The  switch  supports  Ethernet  interfaces  exclusively.  Because  FDDI  and  Token  Ring  VLANs  are  not 
locally  supported,  you  only  configure  FDDI  and  Token  Ring  media-specific  characteristics  for  VTP 
global  advertisements  to  other  switches. 


Table  9-2  Ethernet  VLAN  Defaults  and  Ranges 


Parameter 

Default 

Range 

VLAN  ID 

1 

1  to  4094. 

Note     Extended-range  VLANs  (VLAN 
IDs  1006  to  4094)  are  not  saved  in 
the  VLAN  database. 

VLAN  name 

VLANxxxx,  where  xxxx 
represents  four  numeric  digits 
(including  leading  zeros)  equal 
to  the  VLAN  ID  number 

No  range 

IEEE  802.10  SAID 

100001  (100000  plus  the 
VLAN  ID) 

1  to  4294967294 

MTU  size 

1500 

1500  to  18190 

I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


9- 


H Configuring  Normal-Range  VLANs 


Chapter  9     Configuring  VLANs  | 


Table  9-2  Ethernet  VLAN  Defaults  and  Ranges  (continued) 


Parameter 

Default 

Range 

Translational  bridge  1 

0 

0  to  1005 

Translational  bridge  2 

0 

0  to  1005 

VLAN  state 

active 

active,  suspend 

Remote  SPAN 

disabled 

enabled,  disabled 

Creating  or  Modifying  an  Ethernet  VLAN 

Each  Ethernet  VLAN  in  the  VLAN  database  has  a  unique,  4-digit  ID  that  can  be  a  number  from  1  to 
1001.  VLAN  IDs  1002  to  1005  are  reserved  for  Token  Ring  and  FDDI  VLANs.  To  create  a  normal-range 
VLAN  to  be  added  to  the  VLAN  database,  assign  a  number  and  name  to  the  VLAN. 

X   

Note      When  the  switch  is  in  VTP  transparent  mode,  you  can  assign  VLAN  IDs  greater  than  1006,  but  they  are 
not  added  to  the  VLAN  database.  See  the  "Configuring  Extended-Range  VLANs"  section  on  page  9-11. 


For  the  list  of  default  parameters  that  are  assigned  when  you  add  a  VLAN,  see  the  "Configuring 
Normal-Range  VLANs"  section  on  page  9-4. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  use  config-vlan  mode  to  create  or  modify  an 
Ethernet  VLAN: 


Step  1 
Step  2 


Step  3 


Step  4 
Step  5 

Step  6 
Step  7 
Step  8 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

vlan  vlan-id 

Enter  a  VLAN  ID,  and  enter  config-vlan  mode.  Enter  a  new  VLAN  ID 
to  create  a  VLAN,  or  enter  an  existing  VLAN  ID  to  modify  that  VLAN. 

Note     The  available  VLAN  ID  range  for  this  command  is  1  to  4094. 
For  information  about  adding  VLAN  IDs  greater  than  1005 
(extended-range  VLANs),  see  the  "Configuring 
Extended-Range  VLANs"  section  on  page  9-11. 

name  vlan-name 

(Optional)  Enter  a  name  for  the  VLAN.  If  no  name  is  entered  for  the 
VLAN,  the  default  is  to  append  the  vlan-id  with  leading  zeros  to  the 
word  VLAN.  For  example,  VLAN0004  is  a  default  VLAN  name  for 
VLAN  4. 

mtu  mtu-size 

(Optional)  Change  the  MTU  size  (or  other  VLAN  characteristic). 

remote-span 

(Optional)  Configure  the  VLAN  as  the  RSPAN  VLAN  for  a  remote 
SPAN  session.  For  more  information  on  remote  SPAN,  see  Chapter  22, 
"Configuring  SPAN  and  RSPAN." 

end 

Return  to  privileged  EXEC  mode. 

show  vlan  {name  vlan-name  I  id  vlan-id} 

Verify  your  entries. 

copy  running-config  startup  config 

(Optional)  If  the  switch  is  in  VTP  transparent  mode,  the  VLAN 
configuration  is  saved  in  the  running  configuration  file  as  well  as  in  the 
VLAN  database.  This  saves  the  configuration  in  the  switch  startup 
configuration  file. 
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To  return  the  VLAN  name  to  the  default  settings,  use  the  no  name,  no  mtu,  or  no  remote-span 

config-vlan  commands. 

This  example  shows  how  to  use  config-vlan  mode  to  create  Ethernet  VLAN  20,  name  it  test20,  and  add 
it  to  the  VLAN  database: 

Switch*  configure  terminal 

Switch (config) #  vlan  20 

Switch ( config-vlan) #  name  test20 

Switch (config-vlan) #  end 

You  can  also  create  or  modify  Ethernet  VLANs  by  using  the  VLAN  database  configuration  mode. 

^   

Note      VLAN  database  configuration  mode  does  not  support  RSPAN  VLAN  configuration  or  extended-range 
VLANs. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  use  VLAN  database  configuration  mode  to 
create  or  modify  an  Ethernet  VLAN: 


Step  1 
Step  2 


Step  3 


Step  4 


Step  5 


Command 

Purpose 

vlan  database 

Enter  VLAN  database  configuration  mode. 

vlan  vlan-id  name  vlan-name 

Add  an  Ethernet  VLAN  by  assigning  a  number  to  it.  The  range  is  1  to 
1001.  You  can  create  or  modify  a  range  of  consecutive  VLANs  by 
entering  vlan  first-vlan-id  end  last-vlan-id. 

Note     When  entering  a  VLAN  ID  in  VLAN  database  configuration 
mode,  do  not  enter  leading  zeros. 

If  no  name  is  entered  for  the  VLAN,  the  default  is  to  append  the  vlan-id 
with  leading  zeros  to  the  word  VLAN.  For  example,  VLAN0004  is  a 
default  VLAN  name  for  VLAN  4. 

vlan  vlan-id  mtu  mtu-size 

(Optional)  To  modify  a  VLAN,  identify  the  VLAN  and  change  a 
characteristic,  such  as  the  MTU  size. 

exit 

Update  the  VLAN  database,  propagate  it  throughout  the  administrative 
domain,  and  return  to  privileged  EXEC  mode. 

show  vlan  {name  vlan-name  1  id  vlan-id] 

Verify  your  entries. 

copy  running-config  startup  config 

(Optional)  If  the  switch  is  in  VTP  transparent  mode,  the  VLAN 
configuration  is  saved  in  the  running  configuration  file  as  well  as  in  the 
VLAN  database.  This  saves  the  configuration  in  the  switch  startup 
configuration  file. 

To  return  the  VLAN  name  to  the  default  settings,  use  the  no  vlan  vlan-id  name  or  no  vlan  vlan-id  mtu 
VLAN  database  configuration  command. 

This  example  shows  how  to  use  VLAN  configuration  mode  to  create  Ethernet  VLAN  20,  name  it  test20, 
and  add  it  to  the  VLAN  database: 

Switch*  vlan  database 

Switch (vlan) #  vlan  20  name  test20 

Switch (vlan) #  exit 
APPLY  completed. 
Exiting. . . . 
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Deleting  a  VLAN 

When  you  delete  a  VLAN  from  a  switch  that  is  in  VTP  server  mode,  the  VLAN  is  removed  from  the 
VLAN  database  for  all  switches  in  the  VTP  domain.  When  you  delete  a  VLAN  from  a  switch  that  is  in 
VTP  transparent  mode,  the  VLAN  is  deleted  only  on  that  specific  switch. 

You  cannot  delete  the  default  VLANs  for  the  different  media  types:  Ethernet  VLAN  1  and  FDDI  or 
Token  Ring  VLANs  1002  to  1005. 

A   

Caution      When  you  delete  a  VLAN,  any  ports  assigned  to  that  VLAN  become  inactive.  They  remain  associated 
with  the  VLAN  (and  thus  inactive)  until  you  assign  them  to  a  new  VLAN. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  delete  a  VLAN  on  the  switch: 


Step  1 
Step  2 
Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

no  vlan  vlan-id 

Remove  the  VLAN  by  entering  the  VLAN  ID. 

end 

Return  to  privileged  EXEC  mode. 

show  vlan  brief 

Verify  the  VLAN  removal. 

copy  running-config  startup  config 

(Optional)  If  the  switch  is  in  VTP  transparent  mode,  the  VLAN 
configuration  is  saved  in  the  running  configuration  file  as  well  as  in 
the  VLAN  database.  This  saves  the  configuration  in  the  switch 
startup  configuration  file. 

To  delete  a  VLAN  by  using  VLAN  database  configuration  mode,  use  the  vlan  database  privileged 
EXEC  command  to  enter  VLAN  database  configuration  mode  and  the  no  vlan  vlan-id  VLAN  database 
configuration  command. 


Assigning  Static-Access  Ports  to  a  VLAN 

You  can  assign  a  static-access  port  to  a  VLAN  without  having  VTP  globally  propagate  VLAN 
configuration  information  by  disabling  VTP  (VTP  transparent  mode). 

If  you  are  assigning  a  port  on  a  cluster  member  switch  to  a  VLAN,  first  use  the  rcommand  privileged 
EXEC  command  to  log  in  to  the  cluster  member  switch. 

^   

Note      If  you  assign  an  interface  to  a  VLAN  that  does  not  exist,  the  new  VLAN  is  created.  (See  the  "Creating 
or  Modifying  an  Ethernet  VLAN"  section  on  page  9-8.) 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  assign  a  port  to  a  VLAN  in  the  VLAN 
database: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode 

Step  2 

interface  interface-id 

Enter  the  interface  to  be  added  to  the  VLAN. 
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Command 

Purpose 

switchport  mode  access 

Define  the  VLAN  membership  mode  for  the  port  (Layer  2  access 
port). 

switchport  access  vlan  vlan-id 

Assign  the  port  to  a  VLAN.  Valid  VLAN  IDs  are  1  to  4094. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config  interface  interface-id 

Verify  the  VLAN  membership  mode  of  the  interface. 

show  interfaces  interface-id  switchport 

Verify  your  entries  in  the  Administrative  Mode  and  the  Access  Mode 
VLAN  fields  of  the  display. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  an  interface  to  its  default  configuration,  use  the  default  interface  interface-id  interface 
configuration  command. 

This  example  shows  how  to  configure  a  port  as  an  access  port  in  VLAN  2: 

Switch#  configure  terminal 

Enter  configuration  commands,   one  per  line.     End  with  CNTL/Z. 
Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if) #  switchport  mode  access 
Switch ( config-if ) #  switchport  access  vlan  2 

Switch (config-if ) #  end 


Configuring  Extended-Range  VLANs 

When  the  switch  is  in  VTP  transparent  mode  (VTP  disabled),  you  can  create  extended-range  VLANs  (in 
the  range  1006  to  4094).  Extended-range  VLANs  enable  service  providers  to  extend  their  infrastructure 
to  a  greater  number  of  customers.  The  extended-range  VLAN  IDs  are  allowed  for  any  switchport 
commands  that  allow  VLAN  IDs.  You  always  use  config-vlan  mode  (accessed  by  entering  the  vlan 
vlan-id  global  configuration  command)  to  configure  extended-range  VLANs.  The  extended  range  is  not 
supported  in  VLAN  database  configuration  mode  (accessed  by  entering  the  vlan  database  privileged 
EXEC  command). 

Extended-range  VLAN  configurations  are  not  stored  in  the  VLAN  database,  but  because  VTP  mode  is 
transparent,  they  are  stored  in  the  switch  running  configuration  file,  and  you  can  save  the  configuration 
in  the  startup  configuration  file  by  using  the  copy  running-config  startup-config  privileged  EXEC 
command. 

X   

Note      Although  the  switch  supports  4094  VLAN  IDs,  see  the  "Supported  VLANs"  section  on  page  9-2  for  the 
actual  number  of  VLANs  supported. 

These  sections  contain  extended-range  VLAN  configuration  information: 

•  Default  VLAN  Configuration,  page  9-12 

•  Extended-Range  VLAN  Configuration  Guidelines,  page  9-12 

•  Creating  an  Extended-Range  VLAN,  page  9-12 
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Default  VLAN  Configuration 

See  Table  9-2  on  page  9-7  for  the  default  configuration  for  Ethernet  VLANs.  You  can  change  only  the 
MTU  size  and  the  remote  SPAN  configuration  state  on  extended-range  VLANs;  all  other  characteristics 
must  remain  at  the  default  state. 

Extended-Range  VLAN  Configuration  Guidelines 

Follow  these  guidelines  when  creating  extended-range  VLANs: 

•  To  add  an  extended-range  VLAN,  you  must  use  the  vlan  vlan-id  global  configuration  command  and 
access  config-vlan  mode.  You  cannot  add  extended-range  VLANs  in  VLAN  database  configuration 
mode  (accessed  by  entering  the  vlan  database  privileged  EXEC  command). 

•  VLAN  IDs  in  the  extended  range  are  not  saved  in  the  VLAN  database  and  are  not  recognized  by 
VTP. 

•  You  cannot  include  extended-range  VLANs  in  the  pruning  eligible  range. 

•  The  switch  must  be  in  VTP  transparent  mode  when  you  create  extended-range  VLANs.  If  VTP  mode 
is  server  or  client,  an  error  message  is  generated,  and  the  extended-range  VLAN  is  rejected. 

•  You  can  set  the  VTP  mode  to  transparent  in  global  configuration  mode  or  in  VLAN  database 
configuration  mode.  See  the  "Disabling  VTP  (VTP  Transparent  Mode)"  section  on  page  10-12.  You 
should  save  this  configuration  to  the  startup  configuration  so  that  the  switch  boots  up  in  VTP 
transparent  mode.  Otherwise,  you  lose  the  extended-range  VLAN  configuration  if  the  switch  resets. 

•  STP  is  enabled  by  default  on  extended-range  VLANs,  but  you  can  disable  it  by  using  the  no 
spanning-tree  vlan  vlan-id  global  configuration  command.  When  the  maximum  number  of 
spanning-tree  instances  are  on  the  switch,  spanning  tree  is  disabled  on  any  newly  created  VLANs. 
If  the  number  of  VLANs  on  the  switch  exceeds  the  maximum  number  of  spanning-tree  instances, 
we  recommend  that  you  configure  the  IEEE  802.1s  Multiple  STP  (MSTP)  on  your  switch  to  map 
multiple  VLANs  to  a  single  spanning-tree  instance.  For  more  information  about  MSTP,  see 
Chapter  13,  "Configuring  MSTP." 

•  Although  the  switch  supports  a  total  of  1005  (normal-range  and  extended-range)  VLANs,  the 
number  of  configured  features  affects  the  use  of  the  switch  hardware.  If  you  try  to  create  an 
extended-range  VLAN  and  there  are  not  enough  hardware  resources  available,  an  error  message  is 
generated,  and  the  extended-range  VLAN  is  rejected. 

Creating  an  Extended-Range  VLAN 

You  create  an  extended-range  VLAN  in  global  configuration  mode  by  entering  the  vlan  global 
configuration  command  with  a  VLAN  ID  from  1006  to  4094.  This  command  accesses  the  config-vlan 
mode.  The  extended-range  VLAN  has  the  default  Ethernet  VLAN  characteristics  (see  Table  9-2)  and  the 
MTU  size,  and  RSPAN  configuration  are  the  only  parameters  you  can  change.  See  the  description  of  the 
vlan  global  configuration  command  in  the  command  reference  for  the  default  settings  of  all  parameters. 
If  you  enter  an  extended-range  VLAN  ID  when  the  switch  is  not  in  VTP  transparent  mode,  an  error 
message  is  generated  when  you  exit  from  config-vlan  mode,  and  the  extended-range  VLAN  is  not 
created. 

Extended-range  VLANs  are  not  saved  in  the  VLAN  database;  they  are  saved  in  the  switch  running 
configuration  file.  You  can  save  the  extended-range  VLAN  configuration  in  the  switch  startup 
configuration  file  by  using  the  copy  running-config  startup-config  privileged  EXEC  command. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  an  extended-range  VLAN: 


Step  1 
Step  2 
Step  3 

Step  4 


Step  5 

Step  6 
Step  7 
Step  8 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

vtp  mode  transparent 

Configure  the  switch  for  VTP  transparent  mode,  disabling  VTP. 

vlan  vlan-id 

Enter  an  extended-range  VLAN  ID  and  enter  config-vlan  mode.  The 
range  is  1006  to  4094. 

mtu  mtu-size 

(Optional)  Modify  the  VLAN  by  changing  the  MTU  size. 

Note     Although  all  VLAN  commands  appear  in  the  CLI  help  in 

config-vlan  mode,  only  the  mtu  mtu-size,  and  remote-span 
commands  are  supported  for  extended-range  VLANs. 

remote-span 

(Optional)  Configure  the  VLAN  as  the  RSPAN  VLAN.  See  the 
"Configuring  a  VLAN  as  an  RSPAN  VLAN"  section  on  page  22-16. 

end 

Return  to  privileged  EXEC  mode. 

show  vlan  id  vlan-id 

Verify  that  the  VLAN  has  been  created. 

copy  running-config  startup  config 

Save  your  entries  in  the  switch  startup  configuration  file.  To  save 
extended-range  VLAN  configurations,  you  need  to  save  the  VTP 
transparent  mode  configuration  and  the  extended-range  VLAN 
configuration  in  the  switch  startup  configuration  file.  Otherwise,  if  the 
switch  resets,  it  will  default  to  VTP  server  mode,  and  the  extended-range 
VLAN  IDs  will  not  be  saved. 

To  delete  an  extended-range  VLAN,  use  the  no  vlan  vlan-id  global  configuration  command. 

The  procedure  for  assigning  static-access  ports  to  an  extended-range  VLAN  is  the  same  as  for 
normal-range  VLANs.  See  the  "Assigning  Static-Access  Ports  to  a  VLAN"  section  on  page  9-10. 

This  example  shows  how  to  create  a  new  extended-range  VLAN  with  all  default  characteristics,  enter 
config-vlan  mode,  and  save  the  new  VLAN  in  the  switch  startup  configuration  file: 

Switch (config) #  vtp  mode  transparent 

Switch (config) #  vlan  2000 
Switch ( config-vlan) #  end 

Switch*  copy  running-config  startup  config 
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Displaying  VLANs 

Use  the  show  vlan  privileged  EXEC  command  to  display  a  list  of  all  VLANs  on  the  switch,  including 
extended-range  VLANs.  The  display  includes  VLAN  status,  ports,  and  configuration  information.  To 
view  normal-range  VLANs  in  the  VLAN  database  (1  to  1005),  use  the  show  VLAN  database 
configuration  command  (accessed  by  entering  the  vlan  database  privileged  EXEC  command). 

Table  9-3  lists  the  commands  for  monitoring  VLANs. 
Table  9-3  VLAN  Monitoring  Commands 


Command 

Command  Mode 

Purpose 

show 

VLAN  database 
configuration 

Display  status  of  VLANs  in  the  VLAN  database. 

show  current  [vlan-id] 

VLAN  database 
configuration 

Display  status  of  all  or  the  specified  VLAN  in  the 
VLAN  database. 

show  interfaces  [vlan 

vlan-id] 

Privileged  EXEC 

Display  characteristics  for  all  interfaces  or  for 
the  specified  VLAN  configured  on  the  switch. 

show  vlan  [id  vlan-id] 

Privileged  EXEC 

Display  parameters  for  all  VLANs  or  the 
specified  VLAN  on  the  switch. 

For  more  details  about  the  show  command  options  and  explanations  of  output  fields,  see  the  command 
reference  for  this  release. 


Configuring  VLAN  Trunks 

These  sections  contain  this  conceptual  information: 

•  Trunking  Overview,  page  9-14 

•  Encapsulation  Types,  page  9-16 

•  Default  Layer  2  Ethernet  Interface  VLAN  Configuration,  page  9-17 

•  Configuring  an  Ethernet  Interface  as  a  Trunk  Port,  page  9-17 

•  Configuring  Trunk  Ports  for  Load  Sharing,  page  9-22 

Trunking  Overview 

A  trunk  is  a  point-to-point  link  between  one  or  more  Ethernet  switch  interfaces  and  another  networking  device 
such  as  a  router  or  a  switch.  Ethernet  trunks  carry  the  traffic  of  multiple  VLANs  over  a  single  link,  and  you 
can  extend  the  VLANs  across  an  entire  network. 

Two  trunking  encapsulations  are  available  on  all  Ethernet  interfaces: 

•  Inter-Switch  Link  (ISL) — Cisco-proprietary  trunking  encapsulation. 

•  IEEE  802. 1Q —  industry-standard  trunking  encapsulation. 
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Figure  9-2  shows  a  network  of  blade  switches  that  are  connected  by  ISL  trunks. 
Figure  9-2  Blade  Switches  in  an  ISL  Trunking  Environment 


Catalyst  6500  series 
switch 


You  can  configure  a  trunk  on  a  single  Ethernet  interface  or  on  an  EtherChannel  bundle.  For  more 
information  about  EtherChannel,  see  Chapter  28,  "Configuring  EtherChannels  and  Layer  2  Trunk 
Failover." 

Ethernet  trunk  interfaces  support  different  trunking  modes  (see  Table  9-4).  You  can  set  an  interface  as 
trunking  or  nontrunking  or  to  negotiate  trunking  with  the  neighboring  interface.  To  autonegotiate 
trunking,  the  interfaces  must  be  in  the  same  VTP  domain. 

Trunk  negotiation  is  managed  by  the  Dynamic  Trunking  Protocol  (DTP),  which  is  a  Point-to-Point 
Protocol.  However,  some  internetworking  devices  might  forward  DTP  frames  improperly,  which  could 
cause  misconfigurations. 

To  avoid  this,  you  should  configure  interfaces  connected  to  devices  that  do  not  support  DTP  to  not 
forward  DTP  frames,  that  is,  to  turn  off  DTP. 

•  If  you  do  not  intend  to  trunk  across  those  links,  use  the  switchport  mode  access  interface 
configuration  command  to  disable  trunking. 

•  To  enable  trunking  to  a  device  that  does  not  support  DTP,  use  the  switchport  mode  trunk  and 
switchport  nonegotiate  interface  configuration  commands  to  cause  the  interface  to  become  a  trunk 
but  to  not  generate  DTP  frames.  Use  the  switchport  trunk  encapsulation  isl  or  switchport  trunk 
encapsulation  dotlq  interface  to  select  the  encapsulation  type  on  the  trunk  port. 

You  can  also  specify  on  DTP  interfaces  whether  the  trunk  uses  ISL  or  IEEE  802. 1Q  encapsulation  or  if 
the  encapsulation  type  is  autonegotiated.  The  DTP  supports  autonegotiation  of  both  ISL  and 
IEEE  802. 1Q  trunks. 
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Table  9-4  Layer  2  Interface  Modes 


Mode 

Function 

switchport  mode  access 

Puts  the  interface  (access  port)  into  permanent  nontrunking  mode  and  negotiates  to 
convert  the  link  into  a  nontrunk  link.  The  interface  becomes  a  nontrunk  interface 
regardless  of  whether  or  not  the  neighboring  interface  is  a  trunk  interface. 

switchport  mode  dynamic  auto 

Makes  the  interface  able  to  convert  the  link  to  a  trunk  link.  The  interface  becomes  a  trunk 
interface  if  the  neighboring  interface  is  set  to  trunk  or  desirable  mode.  The  default 
switchport  mode  for  all  Ethernet  interfaces  is  dynamic  auto. 

switchport  mode  dynamic 
desirable 

Makes  the  interface  actively  attempt  to  convert  the  link  to  a  trunk  link.  The  interface 
becomes  a  trunk  interface  if  the  neighboring  interface  is  set  to  trunk,  desirable,  or  auto 
mode. 

switchport  mode  trunk 

Puts  the  interface  into  permanent  trunking  mode  and  negotiates  to  convert  the 
neighboring  link  into  a  trunk  link.  The  interface  becomes  a  trunk  interface  even  if  the 
neighboring  interface  is  not  a  trunk  interface. 

switchport  nonegotiate 

Prevents  the  interface  from  generating  DTP  frames.  You  can  use  this  command  only 
when  the  interface  switchport  mode  is  access  or  trunk.  You  must  manually  configure  the 
neighboring  interface  as  a  trunk  interface  to  establish  a  trunk  link. 

Encapsulation  Types 

Table  9-5  lists  the  Ethernet  trunk  encapsulation  types  and  keywords. 
Table  9-5  Ethernet  Trunk  Encapsulation  Types 


Encapsulation 

Function 

switchport  trunk  encapsulation  isl 

Specifies  ISL  encapsulation  on  the  trunk  link. 

switchport  trunk  encapsulation  dotlq 

Specifies  IEEE  802. 1Q  encapsulation  on  the  trunk  link. 

switchport  trunk  encapsulation  negotiate 

Specifies  that  the  interface  negotiate  with  the  neighboring  interface  to  become 
an  ISL  (preferred)  or  IEEE  802. 1Q  trunk,  depending  on  the  configuration  and 
capabilities  of  the  neighboring  interface.  This  is  the  default  for  the  switch. 

The  trunking  mode,  the  trunk  encapsulation  type,  and  the  hardware  capabilities  of  the  two  connected 
interfaces  decide  whether  a  link  becomes  an  ISL  or  IEEE  802. 1Q  trunk. 


IEEE  802.1Q  Configuration  Considerations 

The  IEEE  802. 1Q  trunks  impose  these  limitations  on  the  trunking  strategy  for  a  network: 

•  In  a  network  of  Cisco  switches  connected  through  IEEE  802. 1Q  trunks,  the  switches  maintain  one 
spanning-tree  instance  for  each  VLAN  allowed  on  the  trunks.  Non-Cisco  devices  might  support  one 
spanning-tree  instance  for  all  VLANs. 

When  you  connect  a  Cisco  switch  to  a  non-Cisco  device  through  an  IEEE  802. 1Q  trunk,  the  Cisco 
switch  combines  the  spanning-tree  instance  of  the  VLAN  of  the  trunk  with  the  spanning-tree 
instance  of  the  non-Cisco  IEEE  802. 1Q  switch.  However,  spanning-tree  information  for  each  VLAN 
is  maintained  by  Cisco  switches  separated  by  a  cloud  of  non-Cisco  IEEE  802. 1Q  switches.  The 
non-Cisco  IEEE  802. 1Q  cloud  separating  the  Cisco  switches  is  treated  as  a  single  trunk  link  between 
the  switches. 
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•  Make  sure  the  native  VLAN  for  an  IEEE  802. 1Q  trunk  is  the  same  on  both  ends  of  the  trunk  link.  If 
the  native  VLAN  on  one  end  of  the  trunk  is  different  from  the  native  VLAN  on  the  other  end, 
spanning-tree  loops  might  result. 

•  Disabling  spanning  tree  on  the  native  VLAN  of  an  IEEE  802. 1Q  trunk  without  disabling  spanning 
tree  on  every  VLAN  in  the  network  can  potentially  cause  spanning-tree  loops.  We  recommend  that 
you  leave  spanning  tree  enabled  on  the  native  VLAN  of  an  IEEE  802. 1Q  trunk  or  disable  spanning 
tree  on  every  VLAN  in  the  network.  Make  sure  your  network  is  loop-free  before  disabling  spanning 
tree. 

Default  Layer  2  Ethernet  Interface  VLAN  Configuration 

Table  9-6  shows  the  default  Layer  2  Ethernet  interface  VLAN  configuration. 


Table  9-6  Default  Layer  2  Ethernet  Interface  VLAN  Configuration 


Feature 

Default  Setting 

Interface  mode 

switchport  mode  dynamic  auto 

Trunk  encapsulation 

switchport  trunk  encapsulation  negotiate 

Allowed  VLAN  range 

VLANs  1  to  4094 

VLAN  range  eligible  for  pruning 

VLANs  2  to  1001 

Default  VLAN  (for  access  ports) 

VLAN  1 

Native  VLAN  (for  IEEE  802. 1Q  trunks) 

VLAN  1 

Configuring  an  Ethernet  Interface  as  a  Trunk  Port 


Because  trunk  ports  send  and  receive  VTP  advertisements,  to  use  VTP  you  must  ensure  that  at  least  one 
trunk  port  is  configured  on  the  switch  and  that  this  trunk  port  is  connected  to  the  trunk  port  of  a  second 
switch.  Otherwise,  the  switch  cannot  receive  any  VTP  advertisements. 

These  sections  contain  this  configuration  information: 

•  Interaction  with  Other  Features,  page  9-18 

•  Defining  the  Allowed  VLANs  on  a  Trunk,  page  9-19 

•  Changing  the  Pruning-Eligible  List,  page  9-20 

•  Configuring  the  Native  VLAN  for  Untagged  Traffic,  page  9-21 

X   

Note      By  default,  trunks  negotiate  encapsulation.  If  the  neighboring  interface  supports  ISL  and  IEEE  802. 1Q 
encapsulation  and  both  interfaces  are  set  to  negotiate  the  encapsulation  type,  the  trunk  uses  ISL 
encapsulation. 
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Interaction  with  Other  Features 

Trunking  interacts  with  other  features  in  these  ways: 

•  A  trunk  port  cannot  be  a  secure  port. 

•  Trunk  ports  can  be  grouped  into  EtherChannel  port  groups,  but  all  trunks  in  the  group  must  have  the 
same  configuration.  When  a  group  is  first  created,  all  ports  follow  the  parameters  set  for  the  first 
port  to  be  added  to  the  group.  If  you  change  the  configuration  of  one  of  these  parameters,  the  switch 
propagates  the  setting  you  entered  to  all  ports  in  the  group: 

-  allowed- VLAN  list. 

-  STP  port  priority  for  each  VLAN. 

-  STP  Port  Fast  setting. 

-  trunk  status:  if  one  port  in  a  port  group  ceases  to  be  a  trunk,  all  ports  cease  to  be  trunks. 

•  We  recommend  that  you  configure  no  more  than  24  trunk  ports  in  PVST  mode  and  no  more  than  40 
trunk  ports  in  MST  mode. 

•  If  you  try  to  enable  IEEE  802.  lx  on  a  trunk  port,  an  error  message  appears,  and  IEEE  802. lx  is  not 
enabled.  If  you  try  to  change  the  mode  of  an  IEEE  802.1x-enabled  port  to  trunk,  the  port  mode  is 
not  changed. 

•  A  port  in  dynamic  mode  can  negotiate  with  its  neighbor  to  become  a  trunk  port.  If  you  try  to  enable 
IEEE  802.  lx  on  a  dynamic  port,  an  error  message  appears,  and  IEEE  802. lx  is  not  enabled.  If  you 
try  to  change  the  mode  of  an  IEEE  802.  lx-enabled  port  to  dynamic,  the  port  mode  is  not  changed. 


Configuring  a  Trunk  Port 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  port  as  a  trunk  port: 


Step  1 
Step  2 

Step  3 


Step  4 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  be  configured  for  trunking,  and  enter  interface 
configuration  mode. 

switchport  trunk  encapsulation  { isl  1 
dotlq  1  negotiate} 

Configure  the  port  to  support  ISL  or  IEEE  802. 1Q  encapsulation  or  to 
negotiate  (the  default)  with  the  neighboring  interface  for  encapsulation 
type. 

You  must  configure  each  end  of  the  link  with  the  same  encapsulation 
type. 

switchport  mode  {dynamic  {auto  1 
desirable}  1  trunk} 

Configure  the  interface  as  a  Layer  2  trunk  (required  only  if  the  interface 
is  a  Layer  2  access  port  or  to  specify  the  trunking  mode). 

•  dynamic  auto — Set  the  interface  to  a  trunk  link  if  the  neighboring 
interface  is  set  to  trunk  or  desirable  mode.  This  is  the  default. 

•  dynamic  desirable — Set  the  interface  to  a  trunk  link  if  the 
neighboring  interface  is  set  to  trunk,  desirable,  or  auto  mode. 

•  trunk — Set  the  interface  in  permanent  trunking  mode  and  negotiate 
to  convert  the  link  to  a  trunk  link  even  if  the  neighboring  interface  is 
not  a  trunk  interface. 
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Command 

Purpose 

switchport  access  vlan  vlan-id 

(Optional)  Specify  the  default  VLAN,  which  is  used  if  the  interface  stops 
trunking. 

switchport  trunk  native  vlan  vlan-id 

Specify  the  native  VLAN  for  IEEE  802. 1Q  trunks. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id  switchport 

Display  the  switchport  configuration  of  the  interface  in  the 
Administrative  Mode  and  the  Administrative  Trunking  Encapsulation 
fields  of  the  display. 

show  interfaces  interface-id  trunk 

Display  the  trunk  configuration  of  the  interface. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  an  interface  to  its  default  configuration,  use  the  default  interface  interface-id  interface 
configuration  command.  To  reset  all  trunking  characteristics  of  a  trunking  interface  to  the  defaults,  use 
the  no  switchport  trunk  interface  configuration  command.  To  disable  trunking,  use  the  switchport 
mode  access  interface  configuration  command  to  configure  the  port  as  a  static-access  port. 

This  example  shows  how  to  configure  a  port  as  an  IEEE  802. 1Q  trunk.  The  example  assumes  that  the 
neighbor  interface  is  configured  to  support  IEEE  802. 1Q  trunking. 

Switch#  configure  terminal 

Enter  configuration  commands,   one  per  line.     End  with  CNTL/Z. 
Switch (config) #  interface  gigabitethernetO/2 
Switch (config-if) #  switchport  mode  dynamic  desirable 
Switch (config-if) #  switchport  trunk  encapsulation  dotlq 

Switch (config-if ) #  end 


Defining  the  Allowed  VLANs  on  a  Trunk 

By  default,  a  trunk  port  sends  traffic  to  and  receives  traffic  from  all  VLANs.  All  VLAN  IDs,  1  to  4094, 
are  allowed  on  each  trunk.  However,  you  can  remove  VLANs  from  the  allowed  list,  preventing  traffic 
from  those  VLANs  from  passing  over  the  trunk.  To  restrict  the  traffic  a  trunk  carries,  use  the  switchport 
trunk  allowed  vlan  remove  vlan-list  interface  configuration  command  to  remove  specific  VLANs  from 
the  allowed  list. 

%   

Note      VLAN  1  is  the  default  VLAN  on  all  trunk  ports  in  all  Cisco  switches,  and  it  has  previously  been  a 

requirement  that  VLAN  1  always  be  enabled  on  every  trunk  link.  You  can  use  the  VLAN  1  minimization 
feature  to  disable  VLAN  1  on  any  individual  VLAN  trunk  link  so  that  no  user  traffic  (including 
spanning-tree  advertisements)  is  sent  or  received  on  VLAN  1. 


To  reduce  the  risk  of  spanning-tree  loops  or  storms,  you  can  disable  VLAN  1  on  any  individual  VLAN 
trunk  port  by  removing  VLAN  1  from  the  allowed  list.  When  you  remove  VLAN  1  from  a  trunk  port, 
the  interface  continues  to  sent  and  receive  management  traffic,  for  example,  Cisco  Discovery  Protocol 
(CDP),  Port  Aggregation  Protocol  (PAgP),  Link  Aggregation  Control  Protocol  (LACP),  DTP,  and  VTP 
in  VLAN  1. 

If  a  trunk  port  with  VLAN  1  disabled  is  converted  to  a  nontrunk  port,  it  is  added  to  the  access  VLAN. 
If  the  access  VLAN  is  set  to  1,  the  port  will  be  added  to  VLAN  1,  regardless  of  the  switchport  trunk 
allowed  setting.  The  same  is  true  for  any  VLAN  that  has  been  disabled  on  the  port. 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  j 


9-19 


H Configuring  VLAN  Trunks 


Chapter  9     Configuring  VLANs  | 


A  trunk  port  can  become  a  member  of  a  VLAN  if  the  VLAN  is  enabled,  if  VTP  knows  of  the  VLAN, 
and  if  the  VLAN  is  in  the  allowed  list  for  the  port.  When  VTP  detects  a  newly  enabled  VLAN  and  the 
VLAN  is  in  the  allowed  list  for  a  trunk  port,  the  trunk  port  automatically  becomes  a  member  of  the 
enabled  VLAN.  When  VTP  detects  a  new  VLAN  and  the  VLAN  is  not  in  the  allowed  list  for  a  trunk 
port,  the  trunk  port  does  not  become  a  member  of  the  new  VLAN. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  modify  the  allowed  list  of  a  trunk: 


Step  1 
Step  2 

Step  3 
Step  4 


Step  5 
Step  6 
Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration 
mode. 

&  WllVll LJUl  l  111UUC  11  LI  1 1 IV 

f^npTi  (Tiirp  fnp  i  n  tf*YT  ^\       iic  ii  \/T  A      ti"iink"  nnrt 
V^UllllgLllC  L11C  lllLClldL,C  do  d    V  L^r\l\   LI  U11A.  IJUl  L. 

switchport  trunk  allowed  vlan  { add  1 
all  1  except  1  remove}  vlan-list 

(Optional)  Configure  the  list  of  VLANs  allowed  on  the  trunk. 

For  explanations  about  using  the  add,  all,  except,  and  remove  keywords, 
see  the  command  reference  for  this  release. 

The  vlan-list  parameter  is  either  a  single  VLAN  number  from  1  to  4094 
or  a  range  of  VLANs  described  by  two  VLAN  numbers,  the  lower  one 
first,  separated  by  a  hyphen.  Do  not  enter  any  spaces  between 
comma-separated  VLAN  parameters  or  in  hyphen-specified  ranges. 

All  VLANs  are  allowed  by  default. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id  switchport 

Verify  your  entries  in  the  Trunking  VLANs  Enabled  field  of  the  display. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  allowed  VLAN  list  of  all  VLANs,  use  the  no  switchport  trunk  allowed  vlan 

interface  configuration  command. 

This  example  shows  how  to  remove  VLAN  2  from  the  allowed  VLAN  list  on  a  port: 

Switch (config) #  interface  gigabitethernetO/1 

Switch ( config-if ) #  switchport  trunk  allowed  vlan  remove  2 

Switch (config-if) #  end 


Changing  the  Pruning-Eligible  List 

The  pruning-eligible  list  applies  only  to  trunk  ports.  Each  trunk  port  has  its  own  eligibility  list.  VTP 
pruning  must  be  enabled  for  this  procedure  to  take  effect.  The  "Enabling  VTP  Pruning"  section  on 
page  10-14  describes  how  to  enable  VTP  pruning. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  remove  VLANs  from  the  pruning-eligible 
list  on  a  trunk  port: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Select  the  trunk  port  for  which  VLANs  should  be  pruned,  and  enter 
interface  configuration  mode. 
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Step  3 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

switchport  trunk  pruning  vlan  {add  1 
except  1  none  1  remove)  vlan-list 

Configure  the  list  of  VLANs  allowed  to  be  pruned  from  the  trunk.  (See 
the  "VTP  Pruning"  section  on  page  10-4). 

[,vlan[,vlan[„,]] 

For  explanations  about  using  the  add,  except,  none,  and  remove 

keywords,  see  the  command  reference  for  this  release. 

Separate  nonconsecutive  VLAN  IDs  with  a  comma  and  no  spaces;  use  a 
hyphen  to  designate  a  range  of  IDs.  Valid  IDs  are  2  to  1001. 
Extended-range  VLANs  (VLAN  IDs  1006  to  4094)  cannot  be  pruned. 

VLANs  that  are  pruning-ineligible  receive  flooded  traffic. 

The  default  list  of  VLANs  allowed  to  be  pruned  contains  VLANs  2  to 
1001. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id  switchport 

Verify  your  entries  in  the  Pruning  VLANs  Enabled  field  of  the  display. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  pruning-eligible  list  of  all  VLANs,  use  the  no  switchport  trunk  pruning  vlan 

interface  configuration  command. 


Configuring  the  Native  VLAN  for  Untagged  Traffic 

A  trunk  port  configured  with  IEEE  802. 1Q  tagging  can  receive  both  tagged  and  untagged  traffic.  By 
default,  the  switch  forwards  untagged  traffic  in  the  native  VLAN  configured  for  the  port.  The  native 
VLAN  is  VLAN  1  by  default. 

X   

Note      The  native  VLAN  can  be  assigned  any  VLAN  ID. 


For  information  about  IEEE  802. 1Q  configuration  issues,  see  the  "IEEE  802. 1Q  Configuration 
Considerations"  section  on  page  9-16. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  native  VLAN  on  an 
IEEE  802. 1Q  trunk: 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Define  the  interface  that  is  configured  as  the  IEEE  802. 1Q  trunk,  and 
enter  interface  configuration  mode. 

switchport  trunk  native  vlan  vlan- id 

Configure  the  VLAN  that  is  sending  and  receiving  untagged  traffic 
on  the  trunk  port. 

For  vlan-id,  the  range  is  1  to  4094. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id  switchport 

Verify  your  entries  in  the  Trunking  Native  Mode  VLAN  field. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  return  to  the  default  native  VLAN,  VLAN  1 ,  use  the  no  switchport  trunk  native  vlan  interface 
configuration  command. 

If  a  packet  has  a  VLAN  ID  that  is  the  same  as  the  outgoing  port  native  VLAN  ID,  the  packet  is  sent 
untagged;  otherwise,  the  switch  sends  the  packet  with  a  tag. 


Configuring  Trunk  Ports  for  Load  Sharing 

Load  sharing  divides  the  bandwidth  supplied  by  parallel  trunks  connecting  switches.  To  avoid  loops, 
STP  normally  blocks  all  but  one  parallel  link  between  switches.  Using  load  sharing,  you  divide  the 
traffic  between  the  links  according  to  which  VLAN  the  traffic  belongs. 

You  configure  load  sharing  on  trunk  ports  by  using  STP  port  priorities  or  STP  path  costs.  For  load 
sharing  using  STP  port  priorities,  both  load-sharing  links  must  be  connected  to  the  same  switch.  For  load 
sharing  using  STP  path  costs,  each  load-sharing  link  can  be  connected  to  the  same  switch  or  to  two 
different  switches.  For  more  information  about  STP,  see  Chapter  12,  "Configuring  STP." 


Load  Sharing  Using  STP  Port  Priorities 

When  two  ports  on  the  same  switch  form  a  loop,  the  switch  uses  the  STP  port  priority  to  decide  which 
port  is  enabled  and  which  port  is  in  a  blocking  state.  You  can  set  the  priorities  on  a  parallel  trunk  port 
so  that  the  port  carries  all  the  traffic  for  a  given  VLAN.  The  trunk  port  with  the  higher  priority  (lower 
values)  for  a  VLAN  is  forwarding  traffic  for  that  VLAN.  The  trunk  port  with  the  lower  priority  (higher 
values)  for  the  same  VLAN  remains  in  a  blocking  state  for  that  VLAN.  One  trunk  port  sends  or  receives 
all  traffic  for  the  VLAN. 

Figure  9-3  shows  two  trunks  connecting  supported  switches.  In  this  example,  the  switches  are 
configured  as  follows: 

•  VLANs  8  through  10  are  assigned  a  port  priority  of  16  on  Trunk  1. 

•  VLANs  3  through  6  retain  the  default  port  priority  of  1 28  on  Trunk  1 . 

•  VLANs  3  through  6  are  assigned  a  port  priority  of  16  on  Trunk  2. 

•  VLANs  8  through  10  retain  the  default  port  priority  of  128  on  Trunk  2. 

In  this  way,  Trunk  1  carries  traffic  for  VLANs  8  through  10,  and  Trunk  2  carries  traffic  for  VLANs  3 
through  6.  If  the  active  trunk  fails,  the  trunk  with  the  lower  priority  takes  over  and  carries  the  traffic  for 
all  of  the  VLANs.  No  duplication  of  traffic  occurs  over  any  trunk  port. 


Figure  9-3         Load  Sharing  by  Using  STP  Port  Priorities 

Switch  A 


Trunk  1 

VLANs  8 -10  (priority  16) 
VLANs  3-  6  (priority  128) 


Trunk  2 
VLANs  3 • 
VLANs  8 • 


6  (priority  16) 
10  (priority  128) 


Switch  B 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  network  shown  in  Figure  9-3. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode  on  Switch  A. 

vtp  domain  domain-name 

Configure  a  VTP  administrative  domain. 
The  domain  name  can  be  1  to  32  characters. 

vtp  mode  server 

Configure  Switch  A  as  the  VTP  server. 

end 

Return  to  privileged  EXEC  mode. 

show  vtp  status 

Verify  the  VTP  configuration  on  both  Switch  A  and  Switch  B. 

In  the  display,  check  the  VTP  Operating  Mode  and  the  VTP  Domain 
Name  fields. 

show  vlan 

Verify  that  the  VLANs  exist  in  the  database  on  Switch  A. 

configure  terminal 

Enter  global  configuration  mode. 

interface  gigabitethernet  0/1 

Define  the  interface  to  be  configured  as  a  trunk,  and  enter  interface 
configuration  mode. 

switchport  trunk  encapsulation  { isl  1 
dotlq  1  negotiate) 

Configure  the  port  to  support  ISL  or  IEEE  802. 1 Q  encapsulation  or  to 
negotiate  with  the  neighboring  interface.  You  must  configure  each 
end  of  the  link  with  the  same  encapsulation  type. 

switchport  mode  trunk 

Configure  the  port  as  a  trunk  port. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  gigabitethernet  0/1 
switchport 

Verify  the  VLAN  configuration. 

Repeat  Steps  7  through  1 1  on  Switch  A  for  a  second  port  in  the  switch. 

Repeat  Steps  7  through  1 1  on  Switch  B  to  configure  the  trunk  ports 
that  connect  to  the  trunk  ports  configured  on  Switch  A. 

show  vlan 

When  the  trunk  links  come  up,  VTP  passes  the  VTP  and  VLAN 
information  to  Switch  B.  Verify  that  Switch  B  has  learned  the  VLAN 
configuration. 

configure  terminal 

Enter  global  configuration  mode  on  Switch  A. 

interface  gigabitethernet  0/1 

Define  the  interface  to  set  the  STP  port  priority,  and  enter  interface 
configuration  mode. 

spanning-tree  vlan  8-10  port-priority  16 

Assign  the  port  priority  of  16  for  VLANs  8  through  10. 

exit 

Return  to  global  configuration  mode. 

interface  gigabitethernetO/2 

Define  the  interface  to  set  the  STP  port  priority,  and  enter  interface 
configuration  mode. 

spanning-tree  vlan  3-6  port-priority  16 

Assign  the  port  priority  of  16  for  VLANs  3  through  6. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 

Step  3 
Step  4 
Step  5 


Step  6 
Step  7 
Step  8 

Step  9 

Step  10 
Step  11 
Step  12 

Step  13 
Step  14 

Step  15 

Step  16 
Step  17 

Step  18 
Step  19 
Step  20 

Step  21 
Step  22 
Step  23 
Step  24 
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Load  Sharing  Using  STP  Path  Cost 


You  can  configure  parallel  trunks  to  share  VLAN  traffic  by  setting  different  path  costs  on  a  trunk  and 
associating  the  path  costs  with  different  sets  of  VLANs,  blocking  different  ports  for  different  VLANs. 
The  VLANs  keep  the  traffic  separate  and  maintain  redundancy  in  the  event  of  a  lost  link. 

In  Figure  9-4,  Trunk  ports  1  and  2  are  configured  as  100BASE-T  ports.  These  VLAN  path  costs  are 
assigned: 

•  VLANs  2  through  4  are  assigned  a  path  cost  of  30  on  Trunk  port  1. 

•  VLANs  8  through  10  retain  the  default  100BASE-T  path  cost  on  Trunk  port  1  of  19. 

•  VLANs  8  through  10  are  assigned  a  path  cost  of  30  on  Trunk  port  2. 

•  VLANs  2  through  4  retain  the  default  100BASE-T  path  cost  on  Trunk  port  2  of  19. 

Figure  9-4  Load-Sharing  Trunks  with  Traffic  Distributed  by  Path  Cost 

Switch  A 


Trunk  port  1 
VLANs  2-4  (path  cost  30) 
VLANs  8 -10  (path  cost  19) 


Trunk  port  2 

VLANs  8 -10  (path  cost  30) 
VLANs  2  -  4  (path  cost  19) 


Switch  B 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  network  shown  in  Figure  9-4: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode  on  Switch  A. 

interface  gigabitethernetO/1 

Define  the  interface  to  be  configured  as  a  trunk,  and  enter  interface 
configuration  mode. 

switchport  trunk  encapsulation 
{ isl  1  dotlq  1  negotiate} 

Configure  the  port  to  support  ISL  or  IEEE  802. 1Q  encapsulation.  You 
must  configure  each  end  of  the  link  with  the  same  encapsulation  type. 

switchport  mode  trunk 

Configure  the  port  as  a  trunk  port.  The  trunk  defaults  to  ISL  trunking. 

exit 

Return  to  global  configuration  mode. 

Repeat  Steps  2  through  5  on  a  second  interface  in  Switch  A. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries.  In  the  display,  make  sure  that  the  interfaces  are 
configured  as  trunk  ports. 

show  vlan 

When  the  trunk  links  come  up,  Switch  A  receives  the  VTP  information 
from  the  other  switches.  Verify  that  Switch  A  has  learned  the  VLAN 
configuration. 

configure  terminal 

Enter  global  configuration  mode. 

interface  gigabitethernetO/1 

Define  the  interface  on  which  to  set  the  STP  cost,  and  enter  interface 
configuration  mode. 

Step  1 
Step  2 

Step  3 

Step  4 
Step  5 
Step  6 
Step  7 
Step  8 

Step  9 

Step  10 
Step  11 
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Step  14 


Command 

Purpose 

spanning-tree  vlan  2-4  cost  30 

Set  the  spanning-tree  path  cost  to  30  for  VLANs  2  through  4. 

end 

Return  to  global  configuration  mode. 

r»                         4.     C  4.                     C\     4-1                            L      n                     4.1                    4.1                                    £•                         J     4.                  1         *        4.  £ 

Repeat  Steps  9  through  13  on  the  other  configured  trunk  interlace  on 
Switch  A,  and  set  the  spanning-tree  path  cost  to  30  for  VLANs  8,  9,  and 
10. 

exit 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries.  In  the  display,  verify  that  the  path  costs  are  set 
correctly  for  both  trunk  interfaces. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Configuring  VMPS 

The  VLAN  Query  Protocol  (VQP)  is  used  to  support  dynamic-access  ports,  which  are  not  permanently 
assigned  to  a  VLAN,  but  give  VLAN  assignments  based  on  the  MAC  source  addresses  seen  on  the  port. 
Each  time  an  unknown  MAC  address  is  seen,  the  switch  sends  a  VQP  query  to  a  remote  VMPS;  the  query 
includes  the  newly  seen  MAC  address  and  the  port  on  which  it  was  seen.  The  VMPS  responds  with  a 
VLAN  assignment  for  the  port.  The  switch  cannot  be  a  VMPS  server  but  can  act  as  a  client  to  the  VMPS 
and  communicate  with  it  through  VQP. 

These  sections  contain  this  information: 

•  "Understanding  VMPS"  section  on  page  9-25 

•  "Default  VMPS  Client  Configuration"  section  on  page  9-26 

•  "VMPS  Configuration  Guidelines"  section  on  page  9-27 

•  "Configuring  the  VMPS  Client"  section  on  page  9-27 

•  "Monitoring  the  VMPS"  section  on  page  9-30 

•  "Troubleshooting  Dynamic-Access  Port  VLAN  Membership"  section  on  page  9-30 

•  "VMPS  Configuration  Example"  section  on  page  9-30 


Understanding  VMPS 

Each  time  the  client  switch  receives  the  MAC  address  of  a  new  host,  it  sends  a  VQP  query  to  the  VMPS. 
When  the  VMPS  receives  this  query,  it  searches  its  database  for  a  MAC-address-to-VLAN  mapping.  The 
server  response  is  based  on  this  mapping  and  whether  or  not  the  server  is  in  open  or  secure  mode.  In 
secure  mode,  the  server  shuts  down  the  port  when  an  illegal  host  is  detected.  In  open  mode,  the  server 
simply  denies  the  host  access  to  the  port. 

If  the  port  is  currently  unassigned  (that  is,  it  does  not  yet  have  a  VLAN  assignment),  the  VMPS  provides 
one  of  these  responses: 

•  If  the  host  is  allowed  on  the  port,  the  VMPS  sends  the  client  a  vlan- assignment  response  containing 
the  assigned  VLAN  name  and  allowing  access  to  the  host. 

•  If  the  host  is  not  allowed  on  the  port  and  the  VMPS  is  in  open  mode,  the  VMPS  sends  an 
access-denied  response. 
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•  If  the  VLAN  is  not  allowed  on  the  port  and  the  VMPS  is  in  secure  mode,  the  VMPS  sends  a 
port-shutdown  response. 

If  the  port  already  has  a  VLAN  assignment,  the  VMPS  provides  one  of  these  responses: 

•  If  the  VLAN  in  the  database  matches  the  current  VLAN  on  the  port,  the  VMPS  sends  an  success 
response,  allowing  access  to  the  host. 

•  If  the  VLAN  in  the  database  does  not  match  the  current  VLAN  on  the  port  and  active  hosts  exist  on 
the  port,  the  VMPS  sends  an  access-denied  or  a  port-shutdown  response,  depending  on  the  secure 
mode  of  the  VMPS. 

If  the  switch  receives  an  access-denied  response  from  the  VMPS,  it  continues  to  block  traffic  to  and  from 
the  host  MAC  address.  The  switch  continues  to  monitor  the  packets  directed  to  the  port  and  sends  a  query 
to  the  VMPS  when  it  identifies  a  new  host  address.  If  the  switch  receives  a  port-shutdown  response  from 
the  VMPS,  it  disables  the  port.  The  port  must  be  manually  re-enabled  by  using  the  CLI  or  SNMP 

Dynamic-Access  Port  VLAN  Membership 

A  dynamic-access  port  can  belong  to  only  one  VLAN  with  an  ID  from  1  to  4094.  When  the  link  comes 
up,  the  switch  does  not  forward  traffic  to  or  from  this  port  until  the  VMPS  provides  the  VLAN 
assignment.  The  VMPS  receives  the  source  MAC  address  from  the  first  packet  of  a  new  host  connected 
to  the  dynamic-access  port  and  attempts  to  match  the  MAC  address  to  a  VLAN  in  the  VMPS  database. 

If  there  is  a  match,  the  VMPS  sends  the  VLAN  number  for  that  port.  If  the  client  switch  was  not 
previously  configured,  it  uses  the  domain  name  from  the  first  VTP  packet  it  receives  on  its  trunk  port 
from  the  VMPS.  If  the  client  switch  was  previously  configured,  it  includes  its  domain  name  in  the  query 
packet  to  the  VMPS  to  obtain  its  VLAN  number.  The  VMPS  verifies  that  the  domain  name  in  the  packet 
matches  its  own  domain  name  before  accepting  the  request  and  responds  to  the  client  with  the  assigned 
VLAN  number  for  the  client.  If  there  is  no  match,  the  VMPS  either  denies  the  request  or  shuts  down  the 
port  (depending  on  the  VMPS  secure  mode  setting). 

Multiple  hosts  (MAC  addresses)  can  be  active  on  a  dynamic-access  port  if  they  are  all  in  the  same 
VLAN;  however,  the  VMPS  shuts  down  a  dynamic-access  port  if  more  than  20  hosts  are  active  on  the 
port. 

If  the  link  goes  down  on  a  dynamic-access  port,  the  port  returns  to  an  isolated  state  and  does  not  belong 
to  a  VLAN.  Any  hosts  that  come  online  through  the  port  are  checked  again  through  the  VQP  with  the 
VMPS  before  the  port  is  assigned  to  a  VLAN. 

Dynamic-access  ports  can  be  used  for  direct  host  connections,  or  they  can  connect  to  a  network.  A 
maximum  of  20  MAC  addresses  are  allowed  per  port  on  the  switch.  A  dynamic-access  port  can  belong 
to  only  one  VLAN  at  a  time,  but  the  VLAN  can  change  over  time,  depending  on  the  MAC  addresses 
seen. 

Default  VMPS  Client  Configuration 

Table  9-7  shows  the  default  VMPS  and  dynamic-access  port  configuration  on  client  switches. 


Table  9-7  Default  VMPS  Client  and  Dynamic-Access  Port  Configuration 


Feature 

Default  Setting 

VMPS  domain  server 

None 

VMPS  reconfirm  interval 

60  minutes 
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Table  9-7  Default  VMPS  Client  and  Dynamic-Access  Port  Configuration 


Feature 

Default  Setting 

VMPS  server  retry  count 

3 

Dynamic-access  ports 

None  configured 

VMPS  Configuration  Guidelines 

These  guidelines  and  restrictions  apply  to  dynamic-access  port  VLAN  membership: 

•  You  should  configure  the  VMPS  before  you  configure  ports  as  dynamic-access  ports. 

•  When  you  configure  a  port  as  a  dynamic-access  port,  the  spanning-tree  Port  Fast  feature  is 
automatically  enabled  for  that  port.  The  Port  Fast  mode  accelerates  the  process  of  bringing  the  port 
into  the  forwarding  state. 

•  IEEE  802.  lx  ports  cannot  be  configured  as  dynamic-access  ports.  If  you  try  to  enable  IEEE  802.  lx 
on  a  dynamic-access  (VQP)  port,  an  error  message  appears,  and  IEEE  802.  lx  is  not  enabled.  If  you 
try  to  change  an  IEEE  802.  lx-enabled  port  to  dynamic  VLAN  assignment,  an  error  message  appears, 
and  the  VLAN  configuration  is  not  changed. 

•  Trunk  ports  cannot  be  dynamic-access  ports,  but  you  can  enter  the  switchport  access  vlan  dynamic 

interface  configuration  command  for  a  trunk  port.  In  this  case,  the  switch  retains  the  setting  and 
applies  it  if  the  port  is  later  configured  as  an  access  port. 

You  must  turn  off  trunking  on  the  port  before  the  dynamic-access  setting  takes  effect. 

•  Dynamic-access  ports  cannot  be  monitor  ports. 

•  Secure  ports  cannot  be  dynamic-access  ports.  You  must  disable  port  security  on  a  port  before  it 
becomes  dynamic. 

•  Dynamic-access  ports  cannot  be  members  of  an  EtherChannel  group. 

•  Port  channels  cannot  be  configured  as  dynamic-access  ports. 

•  The  VTP  management  domain  of  the  VMPS  client  and  the  VMPS  server  must  be  the  same. 

•  The  VLAN  configured  on  the  VMPS  server  should  not  be  a  voice  VLAN. 

Configuring  the  VMPS  Client 

You  configure  dynamic  VLANs  by  using  the  VMPS  (server).  The  switch  can  be  a  VMPS  client;  it  cannot 
be  a  VMPS  server. 

Entering  the  IP  Address  of  the  VMPS 

You  must  first  enter  the  IP  address  of  the  server  to  configure  the  switch  as  a  client. 

X   

Note      If  the  VMPS  is  being  defined  for  a  cluster  of  switches,  enter  the  address  on  the  command  switch. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enter  the  IP  address  of  the  VMPS: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

vmps  server  ipaddress  primary 

Enter  the  IP  address  of  the  switch  acting  as  the  primary  VMPS  server. 

vmps  server  ipaddress 

(Optional)  Enter  the  IP  address  of  the  switch  acting  as  a  secondary  VMPS 
server. 

You  can  enter  up  to  three  secondary  server  addresses. 

end 

Return  to  privileged  EXEC  mode. 

show  vmps 

Verify  your  entries  in  the  VMPS  Domain  Server  field  of  the  display. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 
Step  3 


Step  4 
Step  5 
Step  6 


Note      You  must  have  IP  connectivity  to  the  VMPS  for  dynamic-access  ports  to  work.  You  can  test  for  IP 
connectivity  by  pinging  the  IP  address  of  the  VMPS  and  verifying  that  you  get  a  response. 


Configuring  Dynamic-Access  Ports  on  VMPS  Clients 


A 


Caution 


If  you  are  configuring  a  port  on  a  cluster  member  switch  as  a  dynamic-access  port,  first  use  the 
rcommand  privileged  EXEC  command  to  log  in  to  the  cluster  member  switch. 


Dynamic-access  port  VLAN  membership  is  for  end  stations  or  hubs  connected  to  end  stations. 
Connecting  dynamic-access  ports  to  other  switches  can  cause  a  loss  of  connectivity. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  dynamic-access  port  on  a  VMPS 
client  switch: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  switch  port  that  is  connected  to  the  end  station,  and  enter 
interface  configuration  mode. 

switchport  mode  access 

Set  the  port  to  access  mode. 

switchport  access  vlan  dynamic 

Configure  the  port  as  eligible  for  dynamic  VLAN  membership. 
The  dynamic-access  port  must  be  connected  to  an  end  station. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id  switchport 

Verify  your  entries  in  the  Operational  Mode  field  of  the  display. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 

Step  3 
Step  4 

Step  5 
Step  6 
Step  7 


To  return  an  interface  to  its  default  configuration,  use  the  default  interface  interface-id  interface 
configuration  command.  To  return  an  interface  to  its  default  switchport  mode  (dynamic  auto),  use  the 
no  switchport  mode  interface  configuration  command.  To  reset  the  access  mode  to  the  default  VLAN 
for  the  switch,  use  the  no  switchport  access  vlan  interface  configuration  command. 
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Reconfirming  VLAN  Memberships 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  confirm  the  dynamic-access  port  VLAN 
membership  assignments  that  the  switch  has  received  from  the  VMPS: 


Command 

Purpose 

Step  1 

vmps  reconfirm 

Reconfirm  dynamic-access  port  VLAN  membership. 

Step  2 

show  vmps 

Verify  the  dynamic  VLAN  reconfirmation  status. 

Changing  the  Reconfirmation  Interval 


VMPS  clients  periodically  reconfirm  the  VLAN  membership  information  received  from  the  VMPS.  You 
can  set  the  number  of  minutes  after  which  reconfirmation  occurs. 

If  you  are  configuring  a  member  switch  in  a  cluster,  this  parameter  must  be  equal  to  or  greater  than  the 
reconfirmation  setting  on  the  command  switch.  You  must  also  first  use  the  rcommand  privileged  EXEC 
command  to  log  in  to  the  member  switch. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  change  the  reconfirmation  interval: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

vmps  reconfirm  minutes 

Enter  the  number  of  minutes  between  reconfirmations  of  the  dynamic 
VLAN  membership.  The  range  is  1  to  120.  The  default  is  60  minutes. 

end 

Return  to  privileged  EXEC  mode. 

show  vmps 

Verify  the  dynamic  VLAN  reconfirmation  status  in  the  Reconfirm  Interval 
field  of  the  display. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


To  return  the  switch  to  its  default  setting,  use  the  no  vmps  reconfirm  global  configuration  command. 

Changing  the  Retry  Count 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  change  the  number  of  times  that  the  switch 
attempts  to  contact  the  VMPS  before  querying  the  next  server: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

vmps  retry  count 

Change  the  retry  count.  The  retry  range  is  1  to  10;  the  default  is  3. 

end 

Return  to  privileged  EXEC  mode. 

show  vmps 

Verify  your  entry  in  the  Server  Retry  Count  field  of  the  display. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 
Step  3 
Step  4 
Step  5 


To  return  the  switch  to  its  default  setting,  use  the  no  vmps  retry  global  configuration  command. 
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Monitoring  the  VMPS 

You  can  display  information  about  the  VMPS  by  using  the  show  vmps  privileged  EXEC  command.  The 
switch  displays  this  information  about  the  VMPS: 

•  VMPS  VQP  Version — the  version  of  VQP  used  to  communicate  with  the  VMPS.  The  switch  queries 
the  VMPS  that  is  using  VQP  Version  1. 

•  Reconfirm  Interval — the  number  of  minutes  the  switch  waits  before  reconfirming  the 
VLAN-to-MAC-address  assignments. 

•  Server  Retry  Count — the  number  of  times  VQP  resends  a  query  to  the  VMPS.  If  no  response  is 
received  after  this  many  tries,  the  switch  starts  to  query  the  secondary  VMPS. 

•  VMPS  domain  server — the  IP  address  of  the  configured  VLAN  membership  policy  servers.  The 
switch  sends  queries  to  the  one  marked  current.  The  one  marked  primary  is  the  primary  server. 

•  VMPS  Action — the  result  of  the  most  recent  reconfirmation  attempt.  A  reconfirmation  attempt  can 
occur  automatically  when  the  reconfirmation  interval  expires,  or  you  can  force  it  by  entering  the 
vmps  reconfirm  privileged  EXEC  command  or  its  SNMP  equivalent. 

This  is  an  example  of  output  for  the  show  vmps  privileged  EXEC  command: 

Switch*  show  vmps 
VQP  Client  Status: 


VMPS  VQP  Version:  1 
Reconfirm  Interval:   60  min 
Server  Retry  Count :  3 

VMPS  domain  server:   172.20.128.86    (primary,  current) 
172.20.128.87 

Reconfirmation  status 


VMPS  Action:  other 


Troubleshooting  Dynamic-Access  Port  VLAN  Membership 

The  VMPS  shuts  down  a  dynamic-access  port  under  these  conditions: 

•  The  VMPS  is  in  secure  mode,  and  it  does  not  allow  the  host  to  connect  to  the  port.  The  VMPS  shuts 
down  the  port  to  prevent  the  host  from  connecting  to  the  network. 

•  More  than  20  active  hosts  reside  on  a  dynamic-access  port. 

To  re-enable  a  disabled  dynamic-access  port,  enter  the  shutdown  interface  configuration  command 
followed  by  the  no  shutdown  interface  configuration  command. 

VMPS  Configuration  Example 

Figure  9-5  shows  a  network  with  a  VMPS  server  switch  and  VMPS  client  switches  with  dynamic-access 
ports.  In  this  example,  these  assumptions  apply: 

•  The  VMPS  server  and  the  VMPS  client  are  separate  switches. 

•  The  Catalyst  6500  series  Switch  A  is  the  primary  VMPS  server. 

•  The  Catalyst  6500  series  Switch  C  and  Switch  J  are  secondary  VMPS  servers. 
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•  End  stations  are  connected  to  the  clients,  Switch  B  and  Switch  I. 

•  The  database  configuration  file  is  stored  on  the  TFTP  server  with  the  IP  address  172.20.22.7. 


Figure  9-5  Dynamic  Port  VLAN  Membership  Configuration 
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Configuring  VTP 


This  chapter  describes  how  to  use  the  VLAN  Trunking  Protocol  (VTP)  and  the  VLAN  database  for 
managing  VLANs  with  the  switch. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

The  chapter  consists  of  these  sections: 

•  Understanding  VTP,  page  10-1 

•  Configuring  VTP,  page  10-6 

•  Monitoring  VTP,  page  10-16 

Understanding  VTP 

VTP  is  a  Layer  2  messaging  protocol  that  maintains  VLAN  configuration  consistency  by  managing  the 
addition,  deletion,  and  renaming  of  VLANs  on  a  network-wide  basis.  VTP  minimizes  misconfigurations 
and  configuration  inconsistencies  that  can  cause  several  problems,  such  as  duplicate  VLAN  names, 
incorrect  VLAN-type  specifications,  and  security  violations. 

Before  you  create  VLANs,  you  must  decide  whether  to  use  VTP  in  your  network.  Using  VTP,  you  can 
make  configuration  changes  centrally  on  one  or  more  switches  and  have  those  changes  automatically 
communicated  to  all  the  other  switches  in  the  network.  Without  VTP,  you  cannot  send  information  about 
VLANs  to  other  switches. 

VTP  is  designed  to  work  in  an  environment  where  updates  are  made  on  a  single  switch  and  are  sent 
through  VTP  to  other  switches  in  the  domain.  It  does  not  work  well  in  a  situation  where  multiple  updates 
to  the  VLAN  database  occur  simultaneously  on  switches  in  the  same  domain,  which  would  result  in  an 
inconsistency  in  the  VLAN  database. 

The  switch  supports  1005  VLANs,  but  the  number  of  configured  features  affects  the  usage  of  the  switch 
hardware.  If  the  switch  is  notified  by  VTP  of  a  new  VLAN  and  the  switch  is  already  using  the  maximum 
available  hardware  resources,  it  sends  a  message  that  there  are  not  enough  hardware  resources  available 
and  shuts  down  the  VLAN.  The  output  of  the  show  vlan  user  EXEC  command  shows  the  VLAN  in  a 
suspended  state. 

VTP  only  learns  about  normal-range  VLANs  (VLAN  IDs  1  to  1005).  Extended-range  VLANs  (VLAN 
IDs  greater  than  1005)  are  not  supported  by  VTP  or  stored  in  the  VTP  VLAN  database. 
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These  sections  contain  this  conceptual  information: 

•  The  VTP  Domain,  page  10-2 

•  VTP  Modes,  page  10-3 

•  VTP  Advertisements,  page  10-3 

•  VTP  Version  2,  page  10-4 

•  VTP  Pruning,  page  10-4 

The  VTP  Domain 

A  VTP  domain  (also  called  a  VLAN  management  domain)  consists  of  one  switch  or  several 
interconnected  switches  under  the  same  administrative  responsibility  sharing  the  same  VTP  domain 
name.  A  switch  can  be  in  only  one  VTP  domain.  You  make  global  VLAN  configuration  changes  for  the 
domain. 

By  default,  the  switch  is  in  the  VTP  no-management-domain  state  until  it  receives  an  advertisement  for 
a  domain  over  a  trunk  link  (a  link  that  carries  the  traffic  of  multiple  VLANs)  or  until  you  configure  a 
domain  name.  Until  the  management  domain  name  is  specified  or  learned,  you  cannot  create  or  modify 
VLANs  on  a  VTP  server,  and  VLAN  information  is  not  propagated  over  the  network. 

If  the  switch  receives  a  VTP  advertisement  over  a  trunk  link,  it  inherits  the  management  domain  name 
and  the  VTP  configuration  revision  number.  The  switch  then  ignores  advertisements  with  a  different 
domain  name  or  an  earlier  configuration  revision  number. 

A   

Caution      Before  adding  a  VTP  client  switch  to  a  VTP  domain,  always  verify  that  its  VTP  configuration  revision 
number  is  lower  than  the  configuration  revision  number  of  the  other  switches  in  the  VTP  domain. 
Switches  in  a  VTP  domain  always  use  the  VLAN  configuration  of  the  switch  with  the  highest  VTP 
configuration  revision  number.  If  you  add  a  switch  that  has  a  revision  number  higher  than  the  revision 
number  in  the  VTP  domain,  it  can  erase  all  VLAN  information  from  the  VTP  server  and  VTP  domain. 
See  the  "Adding  a  VTP  Client  Switch  to  a  VTP  Domain"  section  on  page  10-14  for  the  procedure  for 
verifying  and  resetting  the  VTP  configuration  revision  number. 


When  you  make  a  change  to  the  VLAN  configuration  on  a  VTP  server,  the  change  is  propagated  to  all 
switches  in  the  VTP  domain.  VTP  advertisements  are  sent  over  all  IEEE  trunk  connections,  including 
Inter-Switch  Link  (ISL)  and  IEEE  802. 1Q.  VTP  dynamically  maps  VLANs  with  unique  names  and 
internal  index  associates  across  multiple  LAN  types.  Mapping  eliminates  excessive  device 
administration  required  from  network  administrators. 

If  you  configure  a  switch  for  VTP  transparent  mode,  you  can  create  and  modify  VLANs,  but  the  changes 
are  not  sent  to  other  switches  in  the  domain,  and  they  affect  only  the  individual  switch.  However, 
configuration  changes  made  when  the  switch  is  in  this  mode  are  saved  in  the  switch  running 
configuration  and  can  be  saved  to  the  switch  startup  configuration  file. 

For  domain  name  and  password  configuration  guidelines,  see  the  "VTP  Configuration  Guidelines" 
section  on  page  10-8. 


10-2 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  10    Configuring  VTP 


Understanding  VTP  I 


VTP  Modes 

You  can  configure  a  supported  switch  to  be  in  one  of  the  VTP  modes  listed  in  Table  10-1. 


Table  10-1  VTP  Modes 


VTP  Mode 

Description 

VTP  server 

In  VTP  server  mode,  you  can  create,  modify,  and  delete  VLANs,  and  specify  other  configuration 
parameters  (such  as  the  VTP  version)  for  the  entire  VTP  domain.  VTP  servers  advertise  their  VLAN 
configurations  to  other  switches  in  the  same  VTP  domain  and  synchronize  their  VLAN  configurations  with 
other  switches  based  on  advertisements  received  over  trunk  links. 

In  VTP  server  mode,  VLAN  configurations  are  saved  in  NVRAM.  VTP  server  is  the  default  mode. 

VTP  client 

A  VTP  client  behaves  like  a  VTP  server  and  transmits  and  receives  VTP  updates  on  its  trunks,  but  you 
cannot  create,  change,  or  delete  VLANs  on  a  VTP  client.  VLANs  are  configured  on  another  switch  in  the 
domain  that  is  in  server  mode. 

In  VTP  client  mode,  VLAN  configurations  are  not  saved  in  NVRAM. 

VTP  transparent 

VTP  transparent  switches  do  not  participate  in  VTP.  A  VTP  transparent  switch  does  not  advertise  its 
VLAN  configuration  and  does  not  synchronize  its  VLAN  configuration  based  on  received  advertisements. 
However,  in  VTP  Version  2,  transparent  switches  do  forward  VTP  advertisements  that  they  receive  from 
other  switches  through  their  trunk  interfaces.  You  can  create,  modify,  and  delete  VLANs  on  a  switch  in 
VTP  transparent  mode. 

The  switch  must  be  in  VTP  transparent  mode  when  you  create  extended-range  VLANs.  See  the 
"Configuring  Extended-Range  VLANs"  section  on  page  9-11. 

When  the  switch  is  in  VTP  transparent  mode,  the  VTP  and  VLAN  configurations  are  saved  in  NVRAM, 
but  they  are  not  advertised  to  other  switches.  In  this  mode,  VTP  mode  and  domain  name  are  saved  in  the 
switch  running  configuration,  and  you  can  save  this  information  in  the  switch  startup  configuration  file  by 
using  the  copy  running-config  startup-config  privileged  EXEC  command. 

VTP  Advertisements 

Each  switch  in  the  VTP  domain  sends  periodic  global  configuration  advertisements  from  each  trunk  port 
to  a  reserved  multicast  address.  Neighboring  switches  receive  these  advertisements  and  update  their 
VTP  and  VLAN  configurations  as  necessary. 

X   

Note      Because  trunk  ports  send  and  receive  VTP  advertisements,  you  must  ensure  that  at  least  one  trunk  port 
is  configured  on  the  switch  and  that  this  trunk  port  is  connected  to  the  trunk  port  of  another  switch. 
Otherwise,  the  switch  cannot  receive  any  VTP  advertisements.  For  more  information  on  trunk  ports,  see 
the  "Configuring  VLAN  Trunks"  section  on  page  9-14. 

VTP  advertisements  distribute  this  global  domain  information: 

•  VTP  domain  name 

•  VTP  configuration  revision  number 

•  Update  identity  and  update  timestamp 
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•  MD5  digest  VLAN  configuration,  including  maximum  transmission  unit  (MTU)  size  for  each 
VLAN. 

•  Frame  format 

VTP  advertisements  distribute  this  VLAN  information  for  each  configured  VLAN: 

•  VLAN  IDs  (ISL  and  IEEE  802. 1 Q) 

•  VLAN  name 

•  VLAN  type 

•  VLAN  state 

•  Additional  VLAN  configuration  information  specific  to  the  VLAN  type 

VTP  Version  2 

If  you  use  VTP  in  your  network,  you  must  decide  whether  to  use  Version  1  or  Version  2.  By  default, 
VTP  operates  in  Version  1 . 

VTP  Version  2  supports  these  features  that  are  not  supported  in  Version  1: 

•  Token  Ring  support — VTP  Version  2  supports  Token  Ring  Bridge  Relay  Function  (TrBRF)  and 
Token  Ring  Concentrator  Relay  Function  (TrCRF)  VLANs.  For  more  information  about  Token 
Ring  VLANs,  see  the  "Configuring  Normal-Range  VLANs"  section  on  page  9-4. 

•  Unrecognized  Type-Length- Value  (TLV)  support — A  VTP  server  or  client  propagates 
configuration  changes  to  its  other  trunks,  even  for  TLVs  it  is  not  able  to  parse.  The  unrecognized 
TLV  is  saved  in  NVRAM  when  the  switch  is  operating  in  VTP  server  mode. 

•  Version-Dependent  Transparent  Mode — In  VTP  Version  1,  a  VTP  transparent  switch  inspects  VTP 
messages  for  the  domain  name  and  version  and  forwards  a  message  only  if  the  version  and  domain 
name  match.  Because  VTP  Version  2  supports  only  one  domain,  it  forwards  VTP  messages  in 
transparent  mode  without  inspecting  the  version  and  domain  name. 

•  Consistency  Checks — In  VTP  Version  2,  VLAN  consistency  checks  (such  as  VLAN  names  and 
values)  are  performed  only  when  you  enter  new  information  through  the  CLI  or  SNMP  Consistency 
checks  are  not  performed  when  new  information  is  obtained  from  a  VTP  message  or  when 
information  is  read  from  NVRAM.  If  the  MD5  digest  on  a  received  VTP  message  is  correct,  its 
information  is  accepted. 

VTP  Pruning 

VTP  pruning  increases  network  available  bandwidth  by  restricting  flooded  traffic  to  those  trunk  links 
that  the  traffic  must  use  to  reach  the  destination  devices.  Without  VTP  pruning,  a  switch  floods 
broadcast,  multicast,  and  unknown  unicast  traffic  across  all  trunk  links  within  a  VTP  domain  even 
though  receiving  switches  might  discard  them.  VTP  pruning  is  disabled  by  default. 

VTP  pruning  blocks  unneeded  flooded  traffic  to  VLANs  on  trunk  ports  that  are  included  in  the 
pruning-eligible  list.  Only  VLANs  included  in  the  pruning-eligible  list  can  be  pruned.  By  default, 
VLANs  2  through  1001  are  pruning  eligible  switch  trunk  ports.  If  the  VLANs  are  configured  as 
pruning-ineligible,  the  flooding  continues.  VTP  pruning  is  supported  with  VTP  Version  1  and  Version  2. 
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Figure  10-1  shows  a  switched  network  without  VTP  pruning  enabled.  Port  1  on  Switch  A  and  Port  2  on 
Switch  D  are  assigned  to  the  Red  VLAN.  If  a  broadcast  is  sent  from  the  host  connected  to  Switch  A, 
Switch  A  floods  the  broadcast  and  every  switch  in  the  network  receives  it,  even  though  Switches  C,  E, 
and  F  have  no  ports  in  the  Red  VLAN. 

Figure  10- 1         Flooding  Traffic  without  VTP  Pruning 


Switch  D  / 


Figure  10-2  shows  a  switched  network  with  VTP  pruning  enabled.  The  broadcast  traffic  from  Switch  A 
is  not  forwarded  to  Switches  C,  E,  and  F  because  traffic  for  the  Red  VLAN  has  been  pruned  on  the  links 
shown  (Port  5  on  Switch  B  and  Port  4  on  Switch  D). 

Figure  10-2         Optimized  Flooded  Traffic  with  VTP  Pruning 


Switch  D  / 


Enabling  VTP  pruning  on  a  VTP  server  enables  pruning  for  the  entire  management  domain.  Making 
VLANs  pruning-eligible  or  pruning-ineligible  affects  pruning  eligibility  for  those  VLANs  on  that  trunk 
only  (not  on  all  switches  in  the  VTP  domain). 
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See  the  "Enabling  VTP  Pruning"  section  on  page  10-14.  VTP  pruning  takes  effect  several  seconds  after 
you  enable  it.  VTP  pruning  does  not  prune  traffic  from  VLANs  that  are  pruning-ineligible.  VLAN  1  and 
VLANs  1002  to  1005  are  always  pruning-ineligible;  traffic  from  these  VLANs  cannot  be  pruned. 
Extended-range  VLANs  (VLAN  IDs  higher  than  1005)  are  also  pruning-ineligible. 

VTP  pruning  is  not  designed  to  function  in  VTP  transparent  mode.  If  one  or  more  switches  in  the 
network  are  in  VTP  transparent  mode,  you  should  do  one  of  these: 

•  Turn  off  VTP  pruning  in  the  entire  network. 

•  Turn  off  VTP  pruning  by  making  all  VLANs  on  the  trunk  of  the  switch  upstream  to  the  VTP 
transparent  switch  pruning  ineligible. 

To  configure  VTP  pruning  on  an  interface,  use  the  switchport  trunk  pruning  vlan  interface 
configuration  command  (see  the  "Changing  the  Pruning-Eligible  List"  section  on  page  9-20).  VTP 
pruning  operates  when  an  interface  is  trunking.  You  can  set  VLAN  pruning-eligibility,  whether  or  not 
VTP  pruning  is  enabled  for  the  VTP  domain,  whether  or  not  any  given  VLAN  exists,  and  whether  or  not 
the  interface  is  currently  trunking. 


Configuring  VTP 

These  sections  contain  this  configuration  information: 

•  Default  VTP  Configuration,  page  10-6 

•  VTP  Configuration  Options,  page  10-7 

•  VTP  Configuration  Guidelines,  page  10-8 

•  Configuring  a  VTP  Server,  page  10-9 

•  Configuring  a  VTP  Client,  page  10-11 

•  Disabling  VTP  (VTP  Transparent  Mode),  page  10-12 

•  Enabling  VTP  Version  2,  page  10-13 

•  Enabling  VTP  Pruning,  page  10-14 

•  Adding  a  VTP  Client  Switch  to  a  VTP  Domain,  page  10-14 

Default  VTP  Configuration 


Table  10-2  shows  the  default  VTP  configuration. 
Table  10-2         Default  VTP  Configuration 


Feature 

Default  Setting 

VTP  domain  name 

Null. 

VTP  mode 

Server. 

VTP  version 

Version  1  (Version  2  is  disabled). 

VTP  password 

None. 

VTP  pruning 

Disabled. 
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VTP  Configuration  Options 

You  can  configure  VTP  by  using  these  configuration  modes. 

•  VTP  Configuration  in  Global  Configuration  Mode,  page  10-7 

•  VTP  Configuration  in  VLAN  Database  Configuration  Mode,  page  10-7 

You  access  VLAN  database  configuration  mode  by  entering  the  vlan  database  privileged  EXEC 
command. 

For  detailed  information  about  vtp  commands,  see  the  command  reference  for  this  release. 

VTP  Configuration  in  Global  Configuration  Mode 

You  can  use  the  vtp  global  configuration  command  to  set  the  VTP  password,  the  version,  the  VTP  file 
name,  the  interface  providing  updated  VTP  information,  the  domain  name,  and  the  mode,  and  to  disable 
or  enable  pruning.  For  more  information  about  available  keywords,  see  the  command  descriptions  in  the 
command  reference  for  this  release.  The  VTP  information  is  saved  in  the  VTP  VLAN  database.  When 
VTP  mode  is  transparent,  the  VTP  domain  name  and  mode  are  also  saved  in  the  switch  running 
configuration  file,  and  you  can  save  it  in  the  switch  startup  configuration  file  by  entering  the  copy 
running-config  startup- config  privileged  EXEC  command.  You  must  use  this  command  if  you  want  to 
save  VTP  mode  as  transparent,  even  if  the  switch  resets. 

When  you  save  VTP  information  in  the  switch  startup  configuration  file  and  reboot  the  switch,  the 
switch  configuration  is  selected  as  follows: 

•  If  the  VTP  mode  is  transparent  in  the  startup  configuration  and  the  VLAN  database  and  the  VTP 
domain  name  from  the  VLAN  database  matches  that  in  the  startup  configuration  file,  the  VLAN 
database  is  ignored  (cleared),  and  the  VTP  and  VLAN  configurations  in  the  startup  configuration 
file  are  used.  The  VLAN  database  revision  number  remains  unchanged  in  the  VLAN  database. 

•  If  the  VTP  mode  or  domain  name  in  the  startup  configuration  do  not  match  the  VLAN  database,  the 
domain  name  and  VTP  mode  and  configuration  for  the  first  1005  VLANs  use  the  VLAN  database 
information. 

VTP  Configuration  in  VLAN  Database  Configuration  Mode 

You  can  configure  all  VTP  parameters  in  VLAN  database  configuration  mode,  which  you  access  by 
entering  the  vlan  database  privileged  EXEC  command.  For  more  information  about  available 
keywords,  see  the  vtp  VLAN  database  configuration  command  description  in  the  command  reference 
for  this  release.  When  you  enter  the  exit  command  in  VLAN  database  configuration  mode,  it  applies  all 
the  commands  that  you  entered  and  updates  the  VLAN  database.  VTP  messages  are  sent  to  other 
switches  in  the  VTP  domain,  and  the  privileged  EXEC  mode  prompt  appears. 

If  VTP  mode  is  transparent,  the  domain  name  and  the  mode  (transparent)  are  saved  in  the  switch  running 
configuration,  and  you  can  save  this  information  in  the  switch  startup  configuration  file  by  entering  the 
copy  running-config  startup-config  privileged  EXEC  command. 
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VTP  Configuration  Guidelines 

These  sections  describe  guidelines  you  should  follow  when  implementing  VTP  in  your  network. 

Domain  Names 

When  configuring  VTP  for  the  first  time,  you  must  always  assign  a  domain  name.  You  must  configure 
all  switches  in  the  VTP  domain  with  the  same  domain  name.  Switches  in  VTP  transparent  mode  do  not 
exchange  VTP  messages  with  other  switches,  and  you  do  not  need  to  configure  a  VTP  domain  name 
for  them. 

N   

Note      If  NVRAM  and  DRAM  storage  is  sufficient,  all  switches  in  a  VTP  domain  should  be  in  VTP  server 
mode. 


A   

Caution  Do  not  configure  a  VTP  domain  if  all  switches  are  operating  in  VTP  client  mode.  If  you  configure  the 
domain,  it  is  impossible  to  make  changes  to  the  VLAN  configuration  of  that  domain.  Make  sure  that  you 
configure  at  least  one  switch  in  the  VTP  domain  for  VTP  server  mode. 


Passwords 

You  can  configure  a  password  for  the  VTP  domain,  but  it  is  not  required.  If  you  do  configure  a  domain 
password,  all  domain  switches  must  share  the  same  password  and  you  must  configure  the  password  on 
each  switch  in  the  management  domain.  Switches  without  a  password  or  with  the  wrong  password  reject 
VTP  advertisements. 

If  you  configure  a  VTP  password  for  a  domain,  a  switch  that  is  booted  without  a  VTP  configuration  does 
not  accept  VTP  advertisements  until  you  configure  it  with  the  correct  password.  After  the  configuration, 
the  switch  accepts  the  next  VTP  advertisement  that  uses  the  same  password  and  domain  name  in  the 
advertisement. 

If  you  are  adding  a  new  switch  to  an  existing  network  with  VTP  capability,  the  new  switch  learns  the 
domain  name  only  after  the  applicable  password  has  been  configured  on  it. 

A   

Caution      When  you  configure  a  VTP  domain  password,  the  management  domain  does  not  function  properly  if  you 
do  not  assign  a  management  domain  password  to  each  switch  in  the  domain. 


VTP  Version 

Follow  these  guidelines  when  deciding  which  VTP  version  to  implement: 

•  All  switches  in  a  VTP  domain  must  run  the  same  VTP  version. 

•  A  VTP  Version  2-capable  switch  can  operate  in  the  same  VTP  domain  as  a  switch  running  VTP 
Version  1  if  Version  2  is  disabled  on  the  Version  2-capable  switch  (Version  2  is  disabled  by  default). 
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•  Do  not  enable  VTP  Version  2  on  a  switch  unless  all  of  the  switches  in  the  same  VTP  domain  are 
Version-2-capable.  When  you  enable  Version  2  on  a  switch,  all  of  the  Version-2-capable  switches 
in  the  domain  enable  Version  2.  If  there  is  a  Version  1-only  switch,  it  does  not  exchange  VTP 
information  with  switches  that  have  Version  2  enabled. 

•  If  there  are  TrBRF  and  TrCRF  Token  Ring  networks  in  your  environment,  you  must  enable  VTP 
Version  2  for  Token  Ring  VLAN  switching  to  function  properly.  To  run  Token  Ring  and  Token 
Ring-Net,  disable  VTP  Version  2. 

Configuration  Requirements 

When  you  configure  VTP,  you  must  configure  a  trunk  port  so  that  the  switch  can  send  and  receive  VTP 
advertisements  to  and  from  other  switches  in  the  domain. 

For  more  information,  see  the  "Configuring  VLAN  Trunks"  section  on  page  9-14. 

If  you  are  configuring  VTP  on  a  cluster  member  switch  to  a  VLAN,  use  the  rcommand  privileged  EXEC 
command  to  log  in  to  the  member  switch.  For  more  information  about  the  command,  see  the  command 
reference  for  this  release. 

If  you  are  configuring  extended-range  VLANs  on  the  switch,  the  switch  must  be  in  VTP  transparent 
mode. 


Configuring  a  VTP  Server 

When  a  switch  is  in  VTP  server  mode,  you  can  change  the  VLAN  configuration  and  have  it  propagated 
throughout  the  network. 

N   

Note      If  extended-range  VLANs  are  configured  on  the  switch,  you  cannot  change  VTP  mode  to  server.  You 
receive  an  error  message,  and  the  configuration  is  not  allowed. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  as  a  VTP  server: 


Step  1 
Step  2 
Step  3 


Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

vtp  mode  server 

Configure  the  switch  for  VTP  server  mode  (the  default). 

vtp  domain  domain-name 

Configure  the  VTP  administrative-domain  name.  The  name  can  be  1  to  32 
characters.  All  switches  operating  in  VTP  server  or  client  mode  under  the 
same  administrative  responsibility  must  be  configured  with  the  same 
domain  name. 

vtp  password  password 

(Optional)  Set  the  password  for  the  VTP  domain.  The  password  can  be  8  to 
64  characters. 

If  you  configure  a  VTP  password,  the  VTP  domain  does  not  function 
properly  if  you  do  not  assign  the  same  password  to  each  switch  in  the 
domain. 

end 

Return  to  privileged  EXEC  mode. 

show  vtp  status 

Verify  your  entries  in  the  VTP  Operating  Mode  and  the  VTP  Domain  Name 
fields  of  the  display. 
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When  you  configure  a  domain  name,  it  cannot  be  removed;  you  can  only  reassign  a  switch  to  a  different 
domain. 

To  return  the  switch  to  a  no-password  state,  use  the  no  vtp  password  global  configuration  command. 

This  example  shows  how  to  use  global  configuration  mode  to  configure  the  switch  as  a  VTP  server  with 
the  domain  name  eng_group  and  the  password  mypassword: 

Switch*  config  terminal 
Switch (config) #  vtp  mode  server 
Switch (config) #  vtp  domain  eng_group 
Switch (config) #  vtp  password  mypassword 

Switch (config) #  end 

You  can  also  use  VLAN  database  configuration  mode  to  configure  VTP  parameters. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  use  VLAN  database  configuration  mode  to 
configure  the  switch  as  a  VTP  server: 


Command 

Purpose 

vlan  database 

Enter  VLAN  database  configuration  mode. 

vtp  server 

Configure  the  switch  for  VTP  server  mode  (the  default). 

vtp  domain  domain-name 

Configure  a  VTP  administrative-domain  name.  The  name  can  be  1  to  32 
characters.  All  switches  operating  in  VTP  server  or  client  mode  under  the 
same  administrative  responsibility  must  be  configured  with  the  same  domain 
name. 

vtp  password  password 

(Optional)  Set  a  password  for  the  VTP  domain.  The  password  can  be  8  to  64 
characters. 

If  you  configure  a  VTP  password,  the  VTP  domain  does  not  function  properly 
if  you  do  not  assign  the  same  password  to  each  switch  in  the  domain. 

exit 

Update  the  VLAN  database,  propagate  it  throughout  the  administrative 
domain,  and  return  to  privileged  EXEC  mode. 

show  vtp  status 

Verify  your  entries  in  the  VTP  Operating  Mode  and  the  VTP  Domain  Name 
fields  of  the  display. 

When  you  configure  a  domain  name,  it  cannot  be  removed;  you  can  only  reassign  a  switch  to  a  different 
domain. 

To  return  the  switch  to  a  no-password  state,  use  the  no  vtp  password  VLAN  database  configuration 
command. 

This  example  shows  how  to  use  VLAN  database  configuration  mode  to  configure  the  switch  as  a  VTP 
server  with  the  domain  name  eng_group  and  the  password  mypassword: 

Switch*  vlan  database 

Switch (vlan) #  vtp  server 

Switch (vlan) #  vtp  domain  eng_group 

Switch (vlan) #  vtp  password  mypassword 

Switch (vlan) #  exit 
APPLY  completed. 
Exiting. . . . 
Switch* 
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Configuring  a  VTP  Client 

When  a  switch  is  in  VTP  client  mode,  you  cannot  change  its  VLAN  configuration.  The  client  switch 
receives  VTP  updates  from  a  VTP  server  in  the  VTP  domain  and  then  modifies  its  configuration 
accordingly. 

Follow  these  guidelines: 

•  If  extended-range  VLANs  are  configured  on  the  switch,  you  cannot  change  VTP  mode  to  client.  You 
receive  an  error  message,  and  the  configuration  is  not  allowed. 

•  If  you  configure  the  switch  for  VTP  client  mode,  the  switch  does  not  create  the  VLAN  database  file 
(vlan.dat).  If  the  switch  is  then  powered  off,  it  resets  the  VTP  configuration  to  the  default.  To  keep 
the  VTP  configuration  with  VTP  client  mode  after  the  switch  restarts,  you  must  first  configure  the 
VTP  domain  name  before  the  VTP  mode. 

A   

Caution      If  all  switches  are  operating  in  VTP  client  mode,  do  not  configure  a  VTP  domain  name.  If  you  do,  it  is 
impossible  to  make  changes  to  the  VLAN  configuration  of  that  domain.  Therefore,  make  sure  you 
configure  at  least  one  switch  as  a  VTP  server. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  as  a  VTP  client: 


Step  1 
Step  2 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

vtp  mode  client 

Configure  the  switch  for  VTP  client  mode.  The  default  setting  is  VTP 
server. 

vtp  domain  domain-name 

(Optional)  Enter  the  VTP  administrative-domain  name.  The  name  can  be  1 
to  32  characters.  This  should  be  the  same  domain  name  as  the  VTP  server. 

All  switches  operating  in  VTP  server  or  client  mode  under  the  same 
administrative  responsibility  must  be  configured  with  the  same  domain 
name. 

vtp  password  password 

(Optional)  Enter  the  password  for  the  VTP  domain. 

end 

Return  to  privileged  EXEC  mode. 

show  vtp  status 

Verify  your  entries  in  the  VTP  Operating  Mode  and  the  VTP  Domain  Name 
fields  of  the  display. 

N 

Note 


Use  the  no  vtp  mode  global  configuration  command  to  return  the  switch  to  VTP  server  mode.  To  return 
the  switch  to  a  no-password  state,  use  the  no  vtp  password  privileged  EXEC  command.  When  you 
configure  a  domain  name,  it  cannot  be  removed;  you  can  only  reassign  a  switch  to  a  different  domain. 


You  can  also  configure  a  VTP  client  by  using  the  vlan  database  privileged  EXEC  command  to  enter 
VLAN  database  configuration  mode  and  entering  the  vtp  client  command,  similar  to  the  second 
procedure  under  "Configuring  a  VTP  Server"  section  on  page  10-9.  Use  the  no  vtp  client  VLAN 
database  configuration  command  to  return  the  switch  to  VTP  server  mode  or  the  no  vtp  password 
VLAN  database  configuration  command  to  return  the  switch  to  a  no-password  state.  When  you  configure 
a  domain  name,  it  cannot  be  removed;  you  can  only  reassign  a  switch  to  a  different  domain. 
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Disabling  VTP  (VTP  Transparent  Mode) 

When  you  configure  the  switch  for  VTP  transparent  mode,  VTP  is  disabled  on  the  switch.  The  switch 
does  not  send  VTP  updates  and  does  not  act  on  VTP  updates  received  from  other  switches.  However,  a 
VTP  transparent  switch  running  VTP  Version  2  does  forward  received  VTP  advertisements  on  its  trunk 
links. 

X   

Note      Before  you  create  extended-range  VLANs  (VLAN  IDs  1006  to  4094),  you  must  set  VTP  mode  to 

transparent  by  using  the  vtp  mode  transparent  global  configuration  command.  Save  this  configuration 
to  the  startup  configuration  so  that  the  switch  boots  up  in  VTP  transparent  mode.  Otherwise,  you  lose 
the  extended-range  VLAN  configuration  if  the  switch  resets  and  boots  up  in  VTP  server  mode  (the 
default). 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  VTP  transparent  mode  and  save 
the  VTP  configuration  in  the  switch  startup  configuration  file: 


Step  1 
Step  2 
Step  3 
Step  4 

Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

vtp  mode  transparent 

Configure  the  switch  for  VTP  transparent  mode  (disable  VTP). 

end 

Return  to  privileged  EXEC  mode. 

show  vtp  status 

Verify  your  entries  in  the  VTP  Operating  Mode  and  the  VTP  Domain 
Name  fields  of  the  display. 

copy  running-config  startup-config 

(Optional)  Save  the  configuration  in  the  startup  configuration  file. 

Note     Only  VTP  mode  and  domain  name  are  saved  in  the  switch  running 
configuration  and  can  be  copied  to  the  startup  configuration  file. 

To  return  the  switch  to  VTP  server  mode,  use  the  no  vtp  mode  global  configuration  command. 


Note      If  extended-range  VLANs  are  configured  on  the  switch,  you  cannot  change  the  VTP  mode  to  server.  You 
receive  an  error  message,  and  the  configuration  is  not  allowed. 


X   

Note      You  can  also  configure  VTP  transparent  mode  by  using  the  vlan  database  privileged  EXEC  command 
to  enter  VLAN  database  configuration  mode  and  by  entering  the  vtp  transparent  command,  similar  to 
the  second  procedure  under  the  "Configuring  a  VTP  Server"  section  on  page  10-9.  Use  the  no  vtp 
transparent  VLAN  database  configuration  command  to  return  the  switch  to  VTP  server  mode.  If 
extended-range  VLANs  are  configured  on  the  switch,  you  cannot  change  VTP  mode  to  server.  You 
receive  an  error  message,  and  the  configuration  is  not  allowed. 
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Enabling  VTP  Version  2 

VTP  Version  2  is  disabled  by  default  on  VTP  Version  2-capable  switches.  When  you  enable  VTP 
Version  2  on  a  switch,  every  VTP  Version  2-capable  switch  in  the  VTP  domain  enables  Version  2.  You 
can  only  configure  the  version  when  the  switches  are  in  VTP  server  or  transparent  mode. 


VTP  Version  1  and  VTP  Version  2  are  not  interoperable  on  switches  in  the  same  VTP  domain.  Every 
switch  in  the  VTP  domain  must  use  the  same  VTP  version.  Do  not  enable  VTP  Version  2  unless  every 
switch  in  the  VTP  domain  supports  Version  2. 


In  TrCRF  and  TrBRF  Token  ring  environments,  you  must  enable  VTP  Version  2  for  Token  Ring  VLAN 
switching  to  function  properly.  For  Token  Ring  and  Token  Ring-Net  media,  VTP  Version  2  must  be 
disabled. 

For  more  information  on  VTP  version  configuration  guidelines,  see  the  "VTP  Version"  section  on 
page  10-8. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  VTP  Version  2: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

vtp  version  2 

Enable  VTP  Version  2  on  the  switch. 

VTP  Version  2  is  disabled  by  default  on  VTP  Version  2-capable  switches. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 

Step  4 

show  vtp  status 

In  the  VTP  V2  Mode  field  of  the  display,  verify  that  VTP  Version  2  is  enabled. 

To  disable  VTP  Version  2,  use  the  no  vtp  version  global  configuration  command. 

%   

Note      You  can  also  enable  VTP  Version  2  by  using  the  vlan  database  privileged  EXEC  command  to  enter 
VLAN  database  configuration  mode  and  by  entering  the  vtp  v2-mode  VLAN  database  configuration 
command.  To  disable  VTP  Version  2,  use  the  no  vtp  v2-mode  VLAN  database  configuration  command. 


A 

Caution 
Note 
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Enabling  VTP  Pruning 

Pruning  increases  available  bandwidth  by  restricting  flooded  traffic  to  those  trunk  links  that  the  traffic 
must  use  to  access  the  destination  devices.  You  can  only  enable  VTP  pruning  on  a  switch  in  VTP  server 
mode. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  VTP  pruning  in  the  VTP  domain: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

vtp  pruning 

Enable  pruning  in  the  VTP  administrative  domain. 

By  default,  pruning  is  disabled.  You  need  to  enable  pruning  on  only  one  switch 
in  VTP  server  mode. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 

Step  4 

show  vtp  status 

Verify  your  entries  in  the  VTP  Pruning  Mode  field  of  the  display. 

To  disable  VTP  pruning,  use  the  no  vtp  pruning  global  configuration  command. 

X   

Note      You  can  also  enable  VTP  pruning  by  using  the  vlan  database  privileged  EXEC  command  to  enter 
VLAN  database  configuration  mode  and  entering  the  vtp  pruning  VLAN  database  configuration 
command.  To  disable  VTP  pruning,  use  the  no  vtp  pruning  VLAN  database  configuration  command. 
You  can  also  enable  VTP  Version  2  by  using  the  vtp  pruning  privileged  EXEC  command. 


Pruning  is  supported  with  VTP  Version  1  and  Version  2.  If  you  enable  pruning  on  the  VTP  server,  it  is 
enabled  for  the  entire  VTP  domain. 

Only  VLANs  included  in  the  pruning-eligible  list  can  be  pruned.  By  default,  VLANs  2  through  1001  are 
pruning-eligible  on  trunk  ports.  Reserved  VLANs  and  extended-range  VLANs  cannot  be  pruned.  To 
change  the  pruning-eligible  VLANs,  see  the  "Changing  the  Pruning-Eligible  List"  section  on  page  9-20. 

Adding  a  VTP  Client  Switch  to  a  VTP  Domain 

Before  adding  a  VTP  client  to  a  VTP  domain,  always  verify  that  its  VTP  configuration  revision  number 
is  lower  than  the  configuration  revision  number  of  the  other  switches  in  the  VTP  domain.  Switches  in  a 
VTP  domain  always  use  the  VLAN  configuration  of  the  switch  with  the  highest  VTP  configuration 
revision  number.  If  you  add  a  switch  that  has  a  revision  number  higher  than  the  revision  number  in  the 
VTP  domain,  it  can  erase  all  VLAN  information  from  the  VTP  server  and  VTP  domain. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  verify  and  reset  the  VTP  configuration 
revision  number  on  a  switch  before  adding  it  to  a  VTP  domain: 


Command 

Purpose 

show  vtp  status 

Check  the  VTP  configuration  revision  number. 

If  the  number  is  0,  add  the  switch  to  the  VTP  domain. 

Tf  thp  mimhf-r  ic  <jvc*c\tcv  than  0   follow  th(-*Q(-*  stpnQ* 

±1   L11C  llLllllUOl  IS  glCHLCl    lllLlll  V/,  1U11UW    LilCdC  ALCUA. 
d.       VV11LC  UUWI1  L11C  LIUlllalll  IlalllC 

b.  Write  down  the  configuration  revision  number. 

c.  Continue  with  the  next  steps  to  reset  the  switch  configuration  revision  number. 

configure  terminal 

Enter  global  configuration  mode. 

vtp  domain  domain-name 

Change  the  domain  name  from  the  original  one  displayed  in  Step  1  to  a  new  name. 

end 

The  VLAN  information  on  the  switch  is  updated  and  the  configuration  revision 
number  is  reset  to  0.  You  return  to  privileged  EXEC  mode. 

show  vtp  status 

Verify  that  the  configuration  revision  number  has  been  reset  to  0. 

configure  terminal 

Enter  global  configuration  mode. 

vtp  domain  domain-name 

Enter  the  original  domain  name  on  the  switch. 

end 

The  VLAN  information  on  the  switch  is  updated,  and  you  return  to  privileged  EXEC 
mode. 

show  vtp  status 

(Optional)  Verify  that  the  domain  name  is  the  same  as  in  Step  1  and  that  the 
configuration  revision  number  is  0. 

Step  1 


Step  2 
Step  3 
Step  4 

Step  5 
Step  6 
Step  7 
Step  8 

Step  9 


You  can  also  change  the  VTP  domain  name  by  entering  the  vlan  database  privileged  EXEC  command 
to  enter  VLAN  database  configuration  mode  and  by  entering  the  vtp  domain  domain-name  command. 
In  this  mode,  you  must  enter  the  exit  command  to  update  VLAN  information  and  return  to  privileged 
EXEC  mode. 

After  resetting  the  configuration  revision  number,  add  the  switch  to  the  VTP  domain. 


Note  You  can  use  the  vtp  mode  transparent  global  configuration  command  or  the  vtp  transparent  VLAN 
database  configuration  command  to  disable  VTP  on  the  switch,  and  then  change  its  VLAN  information 
without  affecting  the  other  switches  in  the  VTP  domain. 
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Monitoring  VTP 

You  monitor  VTP  by  displaying  VTP  configuration  information:  the  domain  name,  the  current  VTP 
revision,  and  the  number  of  VLANs.  You  can  also  display  statistics  about  the  advertisements  sent  and 
received  by  the  switch. 

Table  10-3  shows  the  privileged  EXEC  commands  for  monitoring  VTP  activity. 
Table  10-3         VTP  Monitoring  Commands 


Command 

Purpose 

show  vtp  status 

Display  the  VTP  switch  configuration  information. 

show  vtp  counters 

Display  counters  about  VTP  messages  that  have  been  sent  and  received. 

10-16 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


CHAPTER 


Configuring  Voice  VLAN 


This  chapter  describes  how  to  configure  the  voice  VLAN  feature  on  the  switch.  Voice  VLAN  is  referred 
to  as  an  auxiliary  VLAN  in  some  Catalyst  6500  family  switch  documentation. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

This  chapter  consists  of  these  sections: 

•  Understanding  Voice  VLAN,  page  11-1 

•  Configuring  Voice  VLAN,  page  11-3 

•  Displaying  Voice  VLAN,  page  11-6 

Understanding  Voice  VLAN 

The  voice  VLAN  feature  enables  access  ports  to  carry  IP  voice  traffic  from  an  IP  phone.  When  the  switch 
is  connected  to  a  Cisco  7960  IP  Phone,  the  phone  sends  voice  traffic  with  Layer  3  IP  precedence  and 
Layer  2  class  of  service  (CoS)  values,  which  are  both  set  to  5  by  default.  Because  the  sound  quality  of 
an  IP  phone  call  can  deteriorate  if  the  data  is  unevenly  sent,  the  switch  supports  quality  of  service  (QoS) 
based  on  IEEE  802.  lp  CoS.  QoS  uses  classification  and  scheduling  to  send  network  traffic  from  the 
switch  in  a  predictable  manner.  For  more  information  on  QoS,  see  Chapter  27,  "Configuring  QoS." 

The  Cisco  7960  IP  Phone  is  a  configurable  device,  and  you  can  configure  it  to  forward  traffic  with  an 
IEEE  802.  lp  priority.  You  can  configure  the  switch  to  trust  or  override  the  traffic  priority  assigned  by  a 
Cisco  IP  Phone. 

The  Cisco  IP  Phone  contains  an  integrated  three-port  10/100  switch  as  shown  in  Figure  1 1-1.  The  ports 
provide  dedicated  connections  to  these  devices: 

•  Port  1  connects  to  the  switch  or  other  voice-over-IP  (VoIP)  device. 

•  Port  2  is  an  internal  10/100  interface  that  carries  the  IP  Phone  traffic. 

•  Port  3  (access  port)  connects  to  a  PC  or  other  device. 
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Figure  11-1  shows  one  way  to  connect  a  Cisco  7960  IP  Phone. 


Figure  11-1         Cisco  7960  IP  Phone  Connected  to  a  Switch 


Cisco  IP  Phone  Voice  Traffic 


You  can  configure  an  access  port  with  an  attached  Cisco  IP  Phone  to  use  one  VLAN  for  voice  traffic 
and  another  VLAN  for  data  traffic  from  a  device  attached  to  the  phone.  You  can  configure  access  ports 
on  the  switch  to  send  Cisco  Discovery  Protocol  (CDP)  packets  that  instruct  an  attached  phone  to  send 
voice  traffic  to  the  switch  in  any  of  these  ways: 

•  In  the  voice  VLAN  tagged  with  a  Layer  2  CoS  priority  value 

•  In  the  access  VLAN  tagged  with  a  Layer  2  CoS  priority  value 

•  In  the  access  VLAN,  untagged  (no  Layer  2  CoS  priority  value) 


Note      In  all  configurations,  the  voice  traffic  carries  a  Layer  3  IP  precedence  value  (the  default  is  5  for  voice 
traffic  and  3  for  voice  control  traffic). 


Cisco  IP  Phone  Data  Traffic 

The  switch  can  also  process  tagged  data  traffic  (traffic  in  IEEE  802. 1Q  or  IEEE  802.  lp  frame  types) 
from  the  device  attached  to  the  access  port  on  the  Cisco  IP  Phone  (see  Figure  11-1).  You  can  configure 
Layer  2  access  ports  on  the  switch  to  send  CDP  packets  that  instruct  the  attached  phone  to  configure  the 
phone  access  port  in  one  of  these  modes: 

•  In  trusted  mode,  all  traffic  received  through  the  access  port  on  the  Cisco  IP  Phone  passes  through 
the  phone  unchanged. 

•  In  untrusted  mode,  all  traffic  in  IEEE  802. 1Q  or  IEEE  802. lp  frames  received  through  the  access 
port  on  the  Cisco  IP  Phone  receive  a  configured  Layer  2  CoS  value.  The  default  Layer  2  CoS  value 
is  0.  Untrusted  mode  is  the  default. 
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Note      Untagged  traffic  from  the  device  attached  to  the  Cisco  IP  Phone  passes  through  the  phone  unchanged, 
regardless  of  the  trust  state  of  the  access  port  on  the  phone. 


Configuring  Voice  VLAN 

These  sections  contain  this  configuration  information: 

•  Default  Voice  VLAN  Configuration,  page  11-3 

•  Voice  VLAN  Configuration  Guidelines,  page  11-3 

•  Configuring  a  Port  Connected  to  a  Cisco  7960  IP  Phone,  page  11-4 

Default  Voice  VLAN  Configuration 

The  voice  VLAN  feature  is  disabled  by  default. 

When  the  voice  VLAN  feature  is  enabled,  all  untagged  traffic  is  sent  according  to  the  default  CoS 
priority  of  the  port. 

The  CoS  value  is  not  trusted  for  IEEE  802.  lp  or  IEEE  802. 1Q  tagged  traffic. 

Voice  VLAN  Configuration  Guidelines 

These  are  the  voice  VLAN  configuration  guidelines: 

•  You  should  configure  voice  VLAN  on  switch  access  ports;  voice  VLAN  is  not  supported  on 
trunk  ports. 

^   

Note     Voice  VLAN  is  only  supported  on  access  ports  and  not  on  trunk  ports,  even  though  the 
configuration  is  allowed. 


•  The  voice  VLAN  should  be  present  and  active  on  the  switch  for  the  IP  phone  to  correctly 
communicate  on  the  voice  VLAN.  Use  the  show  vlan  privileged  EXEC  command  to  see  if  the 
VLAN  is  present  (listed  in  the  display).  If  the  VLAN  is  not  listed,  see  Chapter  9,  "Configuring 
VLANs,"  for  information  on  how  to  create  the  voice  VLAN. 

•  Before  you  enable  voice  VLAN,  we  recommend  that  you  enable  QoS  on  the  switch  by  entering  the 
mis  qos  global  configuration  command  and  configure  the  port  trust  state  to  trust  by  entering  the  mis 
qos  trust  cos  interface  configuration  command.  If  you  use  the  auto-QoS  feature,  these  settings  are 
automatically  configured.  For  more  information,  see  Chapter  27,  "Configuring  QoS." 

•  You  must  enable  CDP  on  the  switch  port  connected  to  the  Cisco  IP  Phone  to  send  the  configuration 
to  the  phone.  (CDP  is  globally  enabled  by  default  on  all  switch  interfaces.) 

•  The  Port  Fast  feature  is  automatically  enabled  when  voice  VLAN  is  configured.  When  you  disable 
voice  VLAN,  the  Port  Fast  feature  is  not  automatically  disabled. 
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•  If  the  Cisco  IP  Phone  and  a  device  attached  to  the  phone  are  in  the  same  VLAN,  they  must  be  in  the 
same  IP  subnet.  These  conditions  indicate  that  they  are  in  the  same  VLAN: 

-  They  both  use  IEEE  802.  lp  or  untagged  frames. 

-  The  Cisco  IP  Phone  uses  IEEE  802.  lp  frames,  and  the  device  uses  untagged  frames. 

-  The  Cisco  IP  Phone  uses  untagged  frames,  and  the  device  uses  IEEE  802.  lp  frames. 

-  The  Cisco  IP  Phone  uses  IEEE  802. 1Q  frames,  and  the  voice  VLAN  is  the  same  as  the  access 
VLAN. 

•  The  Cisco  IP  Phone  and  a  device  attached  to  the  phone  cannot  communicate  if  they  are  in  the  same 
VLAN  and  subnet  but  use  different  frame  types  because  traffic  in  the  same  subnet  is  not  routed 
(routing  would  eliminate  the  frame  type  difference). 

•  You  cannot  configure  static  secure  MAC  addresses  in  the  voice  VLAN. 

•  Voice  VLAN  ports  can  also  be  these  port  types: 

-  Dynamic  access  port.  See  the  "Configuring  Dynamic-Access  Ports  on  VMPS  Clients"  section 
on  page  9-28  for  more  information. 

-  IEEE  802.  lx  authenticated  port.  See  the  "Configuring  IEEE  802.  lx  Authentication"  section  on 
page  6-23  for  more  information. 

X   

Note  If  you  enable  IEEE  802.  lx  on  an  access  port  on  which  a  voice  VLAN  is  configured  and 
to  which  a  Cisco  IP  Phone  is  connected,  the  phone  loses  connectivity  to  the  switch  for 
up  to  30  seconds. 

-  Protected  port.  See  the  "Configuring  Protected  Ports"  section  on  page  18-5  for  more 
information. 

-  A  source  or  destination  port  for  a  SPAN  or  RSPAN  session. 

-  Secure  port.  See  the  "Configuring  Port  Security"  section  on  page  18-7  for  more  information. 

X   

Note     When  you  enable  port  security  on  an  interface  that  is  also  configured  with  a  voice 

VLAN,  you  must  set  the  maximum  allowed  secure  addresses  on  the  port  to  two  plus  the 
maximum  number  of  secure  addresses  allowed  on  the  access  VLAN.  When  the  port  is 
connected  to  a  Cisco  IP  Phone,  the  phone  requires  up  to  two  MAC  addresses.  The  phone 
address  is  learned  on  the  voice  VLAN  and  might  also  be  learned  on  the  access  VLAN. 
Connecting  a  PC  to  the  phone  requires  additional  MAC  addresses. 


Configuring  a  Port  Connected  to  a  Cisco  7960  IP  Phone 

Because  a  Cisco  7960  IP  Phone  also  supports  a  connection  to  a  PC  or  other  device,  a  port  connecting  the 
switch  to  a  Cisco  IP  Phone  can  carry  mixed  traffic.  You  can  configure  a  port  to  decide  how  the  Cisco  IP 
Phone  carries  voice  traffic  and  data  traffic. 

These  sections  contain  this  configuration  information: 

•  Configuring  Cisco  IP  Phone  Voice  Traffic,  page  11-5 

•  Configuring  the  Priority  of  Incoming  Data  Frames,  page  11-6 
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Configuring  Cisco  IP  Phone  Voice  Traffic 

You  can  configure  a  port  connected  to  the  Cisco  IP  Phone  to  send  CDP  packets  to  the  phone  to  configure 
the  way  in  which  the  phone  sends  voice  traffic.  The  phone  can  carry  voice  traffic  in  IEEE  802. 1Q  frames 
for  a  specified  voice  VLAN  with  a  Layer  2  CoS  value.  It  can  use  IEEE  802.  lp  priority  tagging  to  give 
voice  traffic  a  higher  priority  and  forward  all  voice  traffic  through  the  native  (access)  VLAN.  The  Cisco 
IP  Phone  can  also  send  untagged  voice  traffic  or  use  its  own  configuration  to  send  voice  traffic  in  the 
access  VLAN.  In  all  configurations,  the  voice  traffic  carries  a  Layer  3  IP  precedence  value  (the  default 
is  5). 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  voice  traffic  on  a  port: 


Step  1 
Step  2 

Step  3 


Step  4 


Step  5 
Step  6 


Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  connected  to  the  phone,  and  enter  interface 
configuration  mode. 

mis  qos  trust  cos 

Configure  the  interface  to  classify  incoming  traffic  packets  by  using  the 

njipVpt  r^n^s  valnp   Por  nntatrtrpH  nnpVpt*;  tVip  nnrt  Hpfanlt  ("'n^l  valnp  is  iispH 

Note     Before  configuring  the  port  trust  state,  you  must  first  globally  enable 

il/-*^   r^\7  n  cm  n  fT  r  r»  ^  in  1  c  ttt\c  ct  1 1~\  r\  m  1  pnnti  (TiiritiAti  r*  r\  m  m  q  n  r\ 
yUO  Uy  USlilg,  LIlC  IIlls  (.J  UN  ^lUUdl  CUIlilgUlallUll  CUIillilailU. 

switchport  voice  vlan  {vlan-id  I 

rintln  1  nnnp  1  iintti<r<Tprl  \ 

UUl-L^J   1  UU11C  1  UlllaggCUj 

Configure  how  the  Cisco  IP  Phone  carries  voice  traffic: 

•  vlan-id — Configure  the  phone  to  forward  all  voice  traffic  through  the 

cnppifipH  \/T  AM   Rv  Hpfanlt   ttip  f^iQcn  TP  PVionp  fnrw/arHQ  tVip 

SjJC^lllCU    V  Lirtll  ,   1_>  V    LlClclUll,   1. 11C  V-l&LU  LI    JT  11VJ11C  1U1  WCUUo  L11C 

traffic  with  an  IEEE  802. 1Q  priority  of  5.  Valid  VLAN  IDs  are  1  to 
4094. 

•  dotlp — Configure  the  phone  to  use  IEEE  802.  lp  priority  tagging  for 
voice  traffic  and  to  use  the  default  native  VLAN  (VLAN  0)  to  carry  all 
traffic.  By  default,  the  Cisco  IP  Phone  forwards  the  voice  traffic  with  an 
IEEE  802.  lp  priority  of  5. 

•  none — Allow  the  phone  to  use  its  own  configuration  to  send  untagged 
voice  traffic. 

•  untagged — Configure  the  phone  to  send  untagged  voice  traffic. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id 
switchport  or 

Verify  your  voice  VLAN  entries. 

show  running-config  interface 

interface-id 

Verify  your  QoS  and  voice  VLAN  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

This  example  shows  how  to  configure  a  port  connected  to  a  Cisco  IP  Phone  to  use  the  CoS  value  to 
classify  incoming  traffic,  to  use  IEEE  802.  lp  priority  tagging  for  voice  traffic,  and  to  use  the  default 
native  VLAN  (VLAN  0)  to  carry  all  traffic: 


Switch*  configure  terminal 

Enter  configuration  commands,   one  per  line 
Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if) #  mis  qos  trust  cos 
Switch (config-if) #  switchport  voice  vlan  dotlp 

Switch (config-if ) #  end 


End  with  CNTL/Z. 
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To  return  the  port  to  its  default  setting,  use  the  no  switchport  voice  vlan  interface  configuration 
command. 

Configuring  the  Priority  of  Incoming  Data  Frames 

You  can  connect  a  PC  or  other  data  device  to  a  Cisco  IP  Phone  port.  To  process  tagged  data  traffic  (in 
IEEE  802. 1Q  or  IEEE  802. lp  frames),  you  can  configure  the  switch  to  send  CDP  packets  to  instruct  the 
phone  how  to  send  data  packets  from  the  device  attached  to  the  access  port  on  the  Cisco  IP  Phone.  The 
PC  can  generate  packets  with  an  assigned  CoS  value.  You  can  configure  the  phone  to  not  change  (trust) 
or  to  override  (not  trust)  the  priority  of  frames  arriving  on  the  phone  port  from  connected  devices. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  set  the  priority  of  data  traffic  received  from 
the  nonvoice  port  on  the  Cisco  IP  Phone: 


Command 

Purpose 

Step  1     configure  terminal 

Enter  global  configuration  mode. 

Step  2     interface  interface-id 

Specify  the  interface  connected  to  the  Cisco  IP  Phone,  and  enter  interface 
configuration  mode. 

Step  3     switchport  priority  extend 
{cos  value  I  trust} 

Set  the  priority  of  data  traffic  received  from  the  Cisco  IP  Phone  access  port: 

•  cos  value — Configure  the  phone  to  override  the  priority  received  from 
the  PC  or  the  attached  device  with  the  specified  CoS  value.  The  value  is 
a  number  from  0  to  7,  with  7  as  the  highest  priority.  The  default  priority 
is  cos  0. 

•  trust — Configure  the  phone  access  port  to  trust  the  priority  received 
from  the  PC  or  the  attached  device. 

Step  4  end 

Return  to  privileged  EXEC  mode. 

Step  5     show  interfaces  interface-id 
switchport 

Verify  your  entries. 

Step  6     copy  running-config 
startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

This  example  shows  how  to  configure  a  port  connected  to  a  Cisco  IP  Phone  to  not  change  the  priority  of 
frames  received  from  the  PC  or  the  attached  device: 

Switch*  configure  terminal 

Enter  configuration  commands,   one  per  line.     End  with  CNTL/Z. 
Switch (config) #  interface  gigabitethernetO/1 
Switch ( config-if ) #  switchport  priority  extend  trust 

Switch ( config-if ) #  end 

To  return  the  port  to  its  default  setting,  use  the  no  switchport  priority  extend  interface  configuration 
command. 


Voice  VLAN 

To  display  voice  VLAN  configuration  for  an  interface,  use  the  show  interfaces  interface-id  switchport 
privileged  EXEC  command. 


Displaying 
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Configuring  STP 


This  chapter  describes  how  to  configure  the  Spanning  Tree  Protocol  (STP)  on  port-based  VLANs  on  the 
switch.  The  switch  can  use  either  the  per- VLAN  spanning-tree  plus  (PVST+)  protocol  based  on  the  IEEE 
802. ID  standard  and  Cisco  proprietary  extensions,  or  the  rapid  per- VLAN  spanning-tree  plus 
(rapid-PVST+)  protocol  based  on  the  IEEE  802.  lw  standard. 

For  information  about  the  Multiple  Spanning  Tree  Protocol  (MSTP)  and  how  to  map  multiple  VLANs 
to  the  same  spanning-tree  instance,  see  Chapter  13,  "Configuring  MSTP."  For  information  about  other 
spanning-tree  features  such  as  Port  Fast,  UplinkFast,  root  guard,  and  so  forth,  see  Chapter  14, 
"Configuring  Optional  Spanning-Tree  Features." 

X   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 


This  chapter  consists  of  these  sections: 

•  Understanding  Spanning-Tree  Features,  page  12-1 

•  Configuring  Spanning-Tree  Features,  page  12-10 

•  Displaying  the  Spanning-Tree  Status,  page  12-22 

Understanding  Spanning-Tree  Features 

These  sections  contain  this  conceptual  information: 

•  STP  Overview,  page  12-2 

•  Spanning-Tree  Topology  and  BPDUs,  page  12-3 

•  Bridge  ID,  Switch  Priority,  and  Extended  System  ID,  page  12-4 

•  Spanning-Tree  Interface  States,  page  12-4 

•  How  a  Switch  or  Port  Becomes  the  Root  Switch  or  Root  Port,  page  12-7 

•  Spanning  Tree  and  Redundant  Connectivity,  page  12-8 

•  Spanning-Tree  Address  Management,  page  12-8 

•  Accelerated  Aging  to  Retain  Connectivity,  page  12-8 

•  Spanning-Tree  Modes  and  Protocols,  page  12-9 

•  Supported  Spanning-Tree  Instances,  page  12-9 
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•  Spanning-Tree  Interoperability  and  Backward  Compatibility,  page  12-10 

•  STP  and  IEEE  802.1Q  Trunks,  page  12-10 

For  configuration  information,  see  the  "Configuring  Spanning-Tree  Features"  section  on  page  12-10. 

For  information  about  optional  spanning-tree  features,  see  Chapter  14,  "Configuring  Optional 
Spanning-Tree  Features." 


STP  Overview 

STP  is  a  Layer  2  link  management  protocol  that  provides  path  redundancy  while  preventing  loops  in  the 
network.  For  a  Layer  2  Ethernet  network  to  function  properly,  only  one  active  path  can  exist  between 
any  two  stations.  Multiple  active  paths  among  end  stations  cause  loops  in  the  network.  If  a  loop  exists 
in  the  network,  end  stations  might  receive  duplicate  messages.  Switches  might  also  learn  end-station 
MAC  addresses  on  multiple  Layer  2  interfaces.  These  conditions  result  in  an  unstable  network. 
Spanning-tree  operation  is  transparent  to  end  stations,  which  cannot  detect  whether  they  are  connected 
to  a  single  LAN  segment  or  a  switched  LAN  of  multiple  segments. 

The  STP  uses  a  spanning-tree  algorithm  to  select  one  switch  of  a  redundantly  connected  network  as  the 
root  of  the  spanning  tree.  The  algorithm  calculates  the  best  loop-free  path  through  a  switched  Layer  2 
network  by  assigning  a  role  to  each  port  based  on  the  role  of  the  port  in  the  active  topology: 

•  Root — A  forwarding  port  elected  for  the  spanning-tree  topology 

•  Designated — A  forwarding  port  elected  for  every  switched  LAN  segment 

•  Alternate — A  blocked  port  providing  an  alternate  path  to  the  root  bridge  in  the  spanning  tree 

•  Backup — A  blocked  port  in  a  loopback  configuration 

The  switch  that  has  all  of  its  ports  as  the  designated  role  or  as  the  backup  role  is  the  root  switch.  The 
switch  that  has  at  least  one  of  its  ports  in  the  designated  role  is  called  the  designated  switch. 

Spanning  tree  forces  redundant  data  paths  into  a  standby  (blocked)  state.  If  a  network  segment  in  the 
spanning  tree  fails  and  a  redundant  path  exists,  the  spanning-tree  algorithm  recalculates  the 
spanning-tree  topology  and  activates  the  standby  path.  Switches  send  and  receive  spanning-tree  frames, 
called  bridge  protocol  data  units  (BPDUs),  at  regular  intervals.  The  switches  do  not  forward  these  frames 
but  use  them  to  construct  a  loop-free  path.  BPDUs  contain  information  about  the  sending  switch  and  its 
ports,  including  switch  and  MAC  addresses,  switch  priority,  port  priority,  and  path  cost.  Spanning  tree 
uses  this  information  to  elect  the  root  switch  and  root  port  for  the  switched  network  and  the  root  port  and 
designated  port  for  each  switched  segment. 

When  two  ports  on  a  switch  are  part  of  a  loop,  the  spanning-tree  port  priority  and  path  cost  settings 
control  which  port  is  put  in  the  forwarding  state  and  which  is  put  in  the  blocking  state.  The  spanning-tree 
port  priority  value  represents  the  location  of  a  port  in  the  network  topology  and  how  well  it  is  located  to 
pass  traffic.  The  path  cost  value  represents  the  media  speed. 

X   

Note      The  switch  sends  keepalive  messages  (to  ensure  the  connection  is  up)  only  on  interfaces  that  do  not  have 
small  form-factor  pluggable  (SFP)  modules. 


12-2 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  12    Configuring  STP 


Understanding  Spanning-Tree  Features  H 


Spanning-Tree  Topology  and  BPDUs 

The  stable,  active  spanning-tree  topology  of  a  switched  network  is  controlled  by  these  elements: 

•  The  unique  bridge  ID  (switch  priority  and  MAC  address)  associated  with  each  VLAN  on  each 
switch. 

•  The  spanning-tree  path  cost  to  the  root  switch. 

•  The  port  identifier  (port  priority  and  MAC  address)  associated  with  each  Layer  2  interface. 

When  the  switches  in  a  network  are  powered  up,  each  functions  as  the  root  switch.  Each  switch  sends  a 
configuration  BPDU  through  all  of  its  ports.  The  BPDUs  communicate  and  compute  the  spanning-tree 
topology.  Each  configuration  BPDU  contains  this  information: 

•  The  unique  bridge  ID  of  the  switch  that  the  sending  switch  identifies  as  the  root  switch 

•  The  spanning-tree  path  cost  to  the  root 

•  The  bridge  ID  of  the  sending  switch 

•  Message  age 

•  The  identifier  of  the  sending  interface 

•  Values  for  the  hello,  forward  delay,  and  max-age  protocol  timers 

When  a  switch  receives  a  configuration  BPDU  that  contains  superior  information  (lower  bridge  ID, 
lower  path  cost,  and  so  forth),  it  stores  the  information  for  that  port.  If  this  BPDU  is  received  on  the  root 
port  of  the  switch,  the  switch  also  forwards  it  with  an  updated  message  to  all  attached  LANs  for  which 
it  is  the  designated  switch. 

If  a  switch  receives  a  configuration  BPDU  that  contains  inferior  information  to  that  currently  stored  for 
that  port,  it  discards  the  BPDU.  If  the  switch  is  a  designated  switch  for  the  LAN  from  which  the  inferior 
BPDU  was  received,  it  sends  that  LAN  a  BPDU  containing  the  up-to-date  information  stored  for  that 
port.  In  this  way,  inferior  information  is  discarded,  and  superior  information  is  propagated  on  the 
network. 

A  BPDU  exchange  results  in  these  actions: 

•  One  switch  in  the  network  is  elected  as  the  root  switch  (the  logical  center  of  the  spanning-tree 
topology  in  a  switched  network). 

For  each  VLAN,  the  switch  with  the  highest  switch  priority  (the  lowest  numerical  priority  value)  is 
elected  as  the  root  switch.  If  all  switches  are  configured  with  the  default  priority  (32768),  the  switch 
with  the  lowest  MAC  address  in  the  VLAN  becomes  the  root  switch.  The  switch  priority  value 
occupies  the  most  significant  bits  of  the  bridge  ID,  as  shown  in  Table  12-1  on  page  12-4. 

•  A  root  port  is  selected  for  each  switch  (except  the  root  switch).  This  port  provides  the  best  path 
(lowest  cost)  when  the  switch  forwards  packets  to  the  root  switch. 

•  The  shortest  distance  to  the  root  switch  is  calculated  for  each  switch  based  on  the  path  cost. 

•  A  designated  switch  for  each  LAN  segment  is  selected.  The  designated  switch  incurs  the  lowest  path 
cost  when  forwarding  packets  from  that  LAN  to  the  root  switch.  The  port  through  which  the 
designated  switch  is  attached  to  the  LAN  is  called  the  designated  port. 

All  paths  that  are  not  needed  to  reach  the  root  switch  from  anywhere  in  the  switched  network  are  placed 
in  the  spanning-tree  blocking  mode. 
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Bridge  ID,  Switch  Priority,  and  Extended  System  ID 

The  IEEE  802. ID  standard  requires  that  each  switch  has  an  unique  bridge  identifier  (bridge  ID),  which 
controls  the  selection  of  the  root  switch.  Because  each  VLAN  is  considered  as  a  different  logical  bridge 
with  PVST+  and  rapid  PVST+,  the  same  switch  must  have  a  different  bridge  IDs  for  each  configured 
VLAN.  Each  VLAN  on  the  switch  has  a  unique  8-byte  bridge  ID.  The  2  most-significant  bytes  are  used 
for  the  switch  priority,  and  the  remaining  6  bytes  are  derived  from  the  switch  MAC  address. 

The  switch  supports  the  IEEE  802.lt  spanning-tree  extensions,  and  some  of  the  bits  previously  used  for 
the  switch  priority  are  now  used  as  the  VLAN  identifier.  The  result  is  that  fewer  MAC  addresses  are 
reserved  for  the  switch,  and  a  larger  range  of  VLAN  IDs  can  be  supported,  all  while  maintaining  the 
uniqueness  of  the  bridge  ID.  As  shown  in  Table  12-1,  the  2  bytes  previously  used  for  the  switch  priority 
are  reallocated  into  a  4-bit  priority  value  and  a  12-bit  extended  system  ID  value  equal  to  the  VLAN  ID. 


Table  12-1 


Switch  Priority  Value  and  Extended  System  ID 


Switch  Priority  Value 


Extended  System  ID  (Set  Equal  to  the  VLAN  ID) 


Bit  16 

Bit  15 

Bit  14 

Bit  13 

Bit  12 

Bit  11 

Bit  10 

Bit  9 

Bit  8 

Bit  7 

Bit  6 

Bit  5 

Bit  4 

Bit  3 

Bit  2 

Bit  1 

32768 

16384 

8192 

4096 

2048 

1024 

512 

256 

128 

64 

32 

16 

8 

4 

2 

1 

Spanning  tree  uses  the  extended  system  ID,  the  switch  priority,  and  the  allocated  spanning-tree  MAC 
address  to  make  the  bridge  ID  unique  for  each  VLAN. 

Support  for  the  extended  system  ID  affects  how  you  manually  configure  the  root  switch,  the  secondary 
root  switch,  and  the  switch  priority  of  a  VLAN.  For  example,  when  you  change  the  switch  priority  value, 
you  change  the  probability  that  the  switch  will  be  elected  as  the  root  switch.  Configuring  a  higher  value 
decreases  the  probability;  a  lower  value  increases  the  probability.  For  more  information,  see  the 
"Configuring  the  Root  Switch"  section  on  page  12-14,  the  "Configuring  a  Secondary  Root  Switch" 
section  on  page  12-16,  and  the  "Configuring  the  Switch  Priority  of  a  VLAN"  section  on  page  12-19. 


Spanning-Tree  Interface  States 

Propagation  delays  can  occur  when  protocol  information  passes  through  a  switched  LAN.  As  a  result, 
topology  changes  can  take  place  at  different  times  and  at  different  places  in  a  switched  network.  When 
an  interface  transitions  directly  from  nonparticipation  in  the  spanning-tree  topology  to  the  forwarding 
state,  it  can  create  temporary  data  loops.  Interfaces  must  wait  for  new  topology  information  to  propagate 
through  the  switched  LAN  before  starting  to  forward  frames.  They  must  allow  the  frame  lifetime  to 
expire  for  forwarded  frames  that  have  used  the  old  topology. 

Each  Layer  2  interface  on  a  switch  using  spanning  tree  exists  in  one  of  these  states: 

•  Blocking — The  interface  does  not  participate  in  frame  forwarding. 

•  Listening — The  first  transitional  state  after  the  blocking  state  when  the  spanning  tree  decides  that 
the  interface  should  participate  in  frame  forwarding. 

•  Learning — The  interface  prepares  to  participate  in  frame  forwarding. 

•  Forwarding — The  interface  forwards  frames. 

•  Disabled — The  interface  is  not  participating  in  spanning  tree  because  of  a  shutdown  port,  no  link  on 
the  port,  or  no  spanning-tree  instance  running  on  the  port. 
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An  interface  moves  through  these  states: 

•  From  initialization  to  blocking 

•  From  blocking  to  listening  or  to  disabled 

•  From  listening  to  learning  or  to  disabled 

•  From  learning  to  forwarding  or  to  disabled 

•  From  forwarding  to  disabled 

Figure  12-1  illustrates  how  an  interface  moves  through  the  states. 


Figure  12-1 


Spanning-Tree  Interface  States 


Power-on 
initialization 


Blocking 
state 


Listening 
state 


Learning 
state 


Forwarding 
state 


i 
i 
i 


Disabled 
state 


5 


When  you  power  up  the  switch,  spanning  tree  is  enabled  by  default,  and  every  interface  in  the  switch, 
VLAN,  or  network  goes  through  the  blocking  state  and  the  transitory  states  of  listening  and  learning. 
Spanning  tree  stabilizes  each  interface  at  the  forwarding  or  blocking  state. 

When  the  spanning-tree  algorithm  places  a  Layer  2  interface  in  the  forwarding  state,  this  process  occurs: 

1.  The  interface  is  in  the  listening  state  while  spanning  tree  waits  for  protocol  information  to  move  the 
interface  to  the  blocking  state. 

2.  While  spanning  tree  waits  the  forward-delay  timer  to  expire,  it  moves  the  interface  to  the  learning 
state  and  resets  the  forward-delay  timer. 

3.  In  the  learning  state,  the  interface  continues  to  block  frame  forwarding  as  the  switch  learns 
end-station  location  information  for  the  forwarding  database. 

4.  When  the  forward-delay  timer  expires,  spanning  tree  moves  the  interface  to  the  forwarding  state, 
where  both  learning  and  frame  forwarding  are  enabled. 
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Blocking  State 

A  Layer  2  interface  in  the  blocking  state  does  not  participate  in  frame  forwarding.  After  initialization,  a 
BPDU  is  sent  to  each  switch  interface.  A  switch  initially  functions  as  the  root  until  it  exchanges  BPDUs 
with  other  switches.  This  exchange  establishes  which  switch  in  the  network  is  the  root  or  root  switch.  If 
there  is  only  one  switch  in  the  network,  no  exchange  occurs,  the  forward-delay  timer  expires,  and  the 
interface  moves  to  the  listening  state.  An  interface  always  enters  the  blocking  state  after  switch 
initialization. 

An  interface  in  the  blocking  state  performs  these  functions: 

•  Discards  frames  received  on  the  interface 

•  Discards  frames  switched  from  another  interface  for  forwarding 

•  Does  not  learn  addresses 

•  Receives  BPDUs 

Listening  State 

The  listening  state  is  the  first  state  a  Layer  2  interface  enters  after  the  blocking  state.  The  interface  enters 
this  state  when  the  spanning  tree  decides  that  the  interface  should  participate  in  frame  forwarding. 

An  interface  in  the  listening  state  performs  these  functions: 

•  Discards  frames  received  on  the  interface 

•  Discards  frames  switched  from  another  interface  for  forwarding 

•  Does  not  learn  addresses 

•  Receives  BPDUs 

A  Layer  2  interface  in  the  learning  state  prepares  to  participate  in  frame  forwarding.  The  interface  enters 
the  learning  state  from  the  listening  state. 

An  interface  in  the  learning  state  performs  these  functions: 

•  Discards  frames  received  on  the  interface 

•  Discards  frames  switched  from  another  interface  for  forwarding 

•  Learns  addresses 

•  Receives  BPDUs 

Forwarding  State 

A  Layer  2  interface  in  the  forwarding  state  forwards  frames.  The  interface  enters  the  forwarding  state 
from  the  learning  state. 

An  interface  in  the  forwarding  state  performs  these  functions: 

•  Receives  and  forwards  frames  received  on  the  interface 

•  Forwards  frames  switched  from  another  interface 

•  Learns  addresses 

•  Receives  BPDUs 


Learning  State 
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Disabled  State 

A  Layer  2  interface  in  the  disabled  state  does  not  participate  in  frame  forwarding  or  in  the  spanning  tree. 
An  interface  in  the  disabled  state  is  nonoperational. 

A  disabled  interface  performs  these  functions: 

•  Discards  frames  received  on  the  interface 

•  Discards  frames  switched  from  another  interface  for  forwarding 

•  Does  not  learn  addresses 

•  Does  not  receive  BPDUs 

How  a  Switch  or  Port  Becomes  the  Root  Switch  or  Root  Port 

If  all  switches  in  a  network  are  enabled  with  default  spanning-tree  settings,  the  switch  with  the  lowest 
MAC  address  becomes  the  root  switch.  In  Figure  12-2,  Switch  A  is  elected  as  the  root  switch  because 
the  switch  priority  of  all  the  switches  is  set  to  the  default  (32768)  and  Switch  A  has  the  lowest  MAC 
address.  However,  because  of  traffic  patterns,  number  of  forwarding  interfaces,  or  link  types,  Switch  A 
might  not  be  the  ideal  root  switch.  By  increasing  the  priority  (lowering  the  numerical  value)  of  the  ideal 
switch  so  that  it  becomes  the  root  switch,  you  force  a  spanning-tree  recalculation  to  form  a  new  topology 
with  the  ideal  switch  as  the  root. 

Figure  12-2        Spanning-Tree  Topology 


RP  =  Root  Port 

DP  =  Designated  Port 

When  the  spanning-tree  topology  is  calculated  based  on  default  parameters,  the  path  between  source  and 
destination  end  stations  in  a  switched  network  might  not  be  ideal.  For  instance,  connecting  higher-speed 
links  to  an  interface  that  has  a  higher  number  than  the  root  port  can  cause  a  root-port  change.  The  goal 
is  to  make  the  fastest  link  the  root  port. 

For  example,  assume  that  one  port  on  Switch  B  is  a  Gigabit  Ethernet  link  and  that  another  port  on 
Switch  B  (a  10/100  link)  is  the  root  port.  Network  traffic  might  be  more  efficient  over  the  Gigabit 
Ethernet  link.  By  changing  the  spanning-tree  port  priority  on  the  Gigabit  Ethernet  port  to  a  higher 
priority  (lower  numerical  value)  than  the  root  port,  the  Gigabit  Ethernet  port  becomes  the  new  root  port. 
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Spanning  Tree  and  Redundant  Connectivity 

You  can  create  a  redundant  backbone  with  spanning  tree  by  connecting  two  switch  interfaces  to  another 
device  or  to  two  different  devices,  as  shown  in  Figure  12-3.  Spanning  tree  automatically  disables  one 
interface  but  enables  it  if  the  other  one  fails.  If  one  link  is  high-speed  and  the  other  is  low-speed,  the 
low-speed  link  is  always  disabled.  If  the  speeds  are  the  same,  the  port  priority  and  port  ID  are  added 
together,  and  spanning  tree  disables  the  link  with  the  lowest  value. 

Figure  12-3        Spanning  Tree  and  Redundant  Connectivity 


Blade  Servers 

You  can  also  create  redundant  links  between  switches  by  using  EtherChannel  groups.  For  more 
information,  see  Chapter  28,  "Configuring  EtherChannels  and  Layer  2  Trunk  Failover." 

Spanning-Tree  Address  Management 

IEEE  802.  ID  specifies  17  multicast  addresses,  ranging  from  0x00180C2000000  to  0x0180C2000010,  to 
be  used  by  different  bridge  protocols.  These  addresses  are  static  addresses  that  cannot  be  removed. 

Regardless  of  the  spanning-tree  state,  each  switch  receives  but  does  not  forward  packets  destined  for 
addresses  between  0x0180C2000000  and  0x0180C200000F. 

If  spanning  tree  is  enabled,  the  CPU  on  the  switch  receives  packets  destined  for  0x0180C2000000  and 
0x0180C2000010.  If  spanning  tree  is  disabled,  the  switch  forwards  those  packets  as  unknown  multicast 
addresses. 

Accelerated  Aging  to  Retain  Connectivity 

The  default  for  aging  dynamic  addresses  is  5  minutes,  the  default  setting  of  the  mac  address-table 
aging-time  global  configuration  command.  However,  a  spanning-tree  reconfiguration  can  cause  many 
station  locations  to  change.  Because  these  stations  could  be  unreachable  for  5  minutes  or  more  during  a 
reconfiguration,  the  address-aging  time  is  accelerated  so  that  station  addresses  can  be  dropped  from  the 
address  table  and  then  relearned.  The  accelerated  aging  is  the  same  as  the  forward-delay  parameter  value 
(spanning-tree  vlan  vlan-id  forward-time  seconds  global  configuration  command)  when  the  spanning 
tree  reconfigures. 
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Because  each  VLAN  is  a  separate  spanning-tree  instance,  the  switch  accelerates  aging  on  a  per-VLAN 
basis.  A  spanning-tree  reconfiguration  on  one  VLAN  can  cause  the  dynamic  addresses  learned  on  that 
VLAN  to  be  subject  to  accelerated  aging.  Dynamic  addresses  on  other  VLANs  can  be  unaffected  and 
remain  subject  to  the  aging  interval  entered  for  the  switch. 

Spanning-Tree  Modes  and  Protocols 

The  switch  supports  these  spanning-tree  modes  and  protocols: 

•  PVSTh — This  spanning-tree  mode  is  based  on  the  IEEE  802.  ID  standard  and  Cisco  proprietary 
extensions.  It  is  the  default  spanning-tree  mode  used  on  all  Ethernet  port-based  VLANs.  The  PVST+ 
runs  on  each  VLAN  on  the  switch  up  to  the  maximum  supported,  ensuring  that  each  has  a  loop-free 
path  through  the  network. 

The  PVST+  provides  Layer  2  load  balancing  for  the  VLAN  on  which  it  runs.  You  can  create 
different  logical  topologies  by  using  the  VLANs  on  your  network  to  ensure  that  all  of  your  links  are 
used  but  that  no  one  link  is  oversubscribed.  Each  instance  of  PVST+  on  a  VLAN  has  a  single  root 
switch.  This  root  switch  propagates  the  spanning-tree  information  associated  with  that  VLAN  to  all 
other  switches  in  the  network.  Because  each  switch  has  the  same  information  about  the  network,  this 
process  ensures  that  the  network  topology  is  maintained. 

•  Rapid  PVSTh — This  spanning-tree  mode  is  the  same  as  PVST+  except  that  is  uses  a  rapid 
convergence  based  on  the  IEEE  802.  lw  standard.  To  provide  rapid  convergence,  the  rapid  PVST+ 
immediately  deletes  dynamically  learned  MAC  address  entries  on  a  per-port  basis  upon  receiving  a 
topology  change.  By  contrast,  PVST+  uses  a  short  aging  time  for  dynamically  learned  MAC  address 
entries. 

The  rapid  PVST+  uses  the  same  configuration  as  PVST+  (except  where  noted),  and  the  switch  needs 
only  minimal  extra  configuration.  The  benefit  of  rapid  PVST+  is  that  you  can  migrate  a  large  PVST+ 
install  base  to  rapid  PVST+  without  having  to  learn  the  complexities  of  the  MSTP  configuration  and 
without  having  to  reprovision  your  network.  In  rapid-PVST+  mode,  each  VLAN  runs  its  own 
spanning-tree  instance  up  to  the  maximum  supported. 

•  MSTP — This  spanning-tree  mode  is  based  on  the  IEEE  802.1s  standard.  You  can  map  multiple 
VLANs  to  the  same  spanning-tree  instance,  which  reduces  the  number  of  spanning-tree  instances 
required  to  support  a  large  number  of  VLANs.  The  MSTP  runs  on  top  of  the  RSTP  (based  on 
IEEE  802.  lw),  which  provides  for  rapid  convergence  of  the  spanning  tree  by  eliminating  the 
forward  delay  and  by  quickly  transitioning  root  ports  and  designated  ports  to  the  forwarding  state. 
You  cannot  run  MSTP  without  RSTP. 

The  most  common  initial  deployment  of  MSTP  is  in  the  backbone  and  distribution  layers  of  a 
Layer  2  switched  network.  For  more  information,  see  Chapter  13,  "Configuring  MSTP." 

For  information  about  the  number  of  supported  spanning-tree  instances,  see  the  next  section. 

Supported  Spanning-Tree  Instances 

In  PVST+  or  rapid-PVST+  mode,  the  switch  supports  up  to  128  spanning-tree  instances. 

In  MSTP  mode,  the  switch  supports  up  to  65  MST  instances.  The  number  of  VLANs  that  can  be  mapped 
to  a  particular  MST  instance  is  unlimited. 

For  information  about  how  spanning  tree  interoperates  with  the  VLAN  Trunking  Protocol  (VTP),  see 
the  "Spanning-Tree  Configuration  Guidelines"  section  on  page  12-12. 
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Spanning-Tree  Interoperability  and  Backward  Compatibility 

Table  12-2  lists  the  interoperability  and  compatibility  among  the  supported  spanning-tree  modes  in  a 
network. 


Table  12-2        PVST+,  MSTP,  and  Rapid-PVST+  Interoperability 


PVST+ 

MSTP 

Rapid  PVST+ 

PVST+ 

Yes 

Yes  (with  restrictions) 

Yes  (reverts  to  PVST+) 

MSTP 

Yes  (with  restrictions) 

Yes 

Yes  (reverts  to  PVST+) 

Rapid  PVST+ 

Yes  (reverts  to  PVST+) 

Yes  (reverts  to  PVST+) 

Yes 

In  a  mixed  MSTP  and  PVST+  network,  the  common  spanning-tree  (CST)  root  must  be  inside  the  MST 
backbone,  and  a  PVST+  switch  cannot  connect  to  multiple  MST  regions. 

When  a  network  contains  switches  running  rapid  PVST+  and  switches  running  PVST+,  we  recommend 
that  the  rapid-PVST+  switches  and  PVST+  switches  be  configured  for  different  spanning-tree  instances. 
In  the  rapid-PVST+  spanning-tree  instances,  the  root  switch  must  be  a  rapid-PVST-t-  switch.  In  the 
PVST+  instances,  the  root  switch  must  be  a  PVST+  switch.  The  PVST+  switches  should  be  at  the  edge 
of  the  network. 

STP  and  IEEE  802.1  Q  Trunks 

The  IEEE  802. 1Q  standard  for  VLAN  trunks  imposes  some  limitations  on  the  spanning-tree  strategy  for 
a  network.  The  standard  requires  only  one  spanning-tree  instance  for  all  VLANs  allowed  on  the  trunks. 
However,  in  a  network  of  Cisco  switches  connected  through  IEEE  802. 1Q  trunks,  the  switches  maintain 
one  spanning-tree  instance  for  each  VLAN  allowed  on  the  trunks. 

When  you  connect  a  Cisco  switch  to  a  non-Cisco  device  through  an  IEEE  802. 1Q  trunk,  the  Cisco  switch 
uses  PVST+  to  provide  spanning-tree  interoperability.  If  rapid  PVST+  is  enabled,  the  switch  uses  it 
instead  of  PVST+.  The  switch  combines  the  spanning-tree  instance  of  the  IEEE  802. 1Q  VLAN  of  the 
trunk  with  the  spanning-tree  instance  of  the  non-Cisco  IEEE  802. 1Q  switch. 

However,  all  PVST+  or  rapid-PVST+  information  is  maintained  by  Cisco  switches  separated  by  a  cloud 
of  non-Cisco  IEEE  802. 1Q  switches.  The  non-Cisco  IEEE  802. 1Q  cloud  separating  the  Cisco  switches 
is  treated  as  a  single  trunk  link  between  the  switches. 

PVST+  is  automatically  enabled  on  IEEE  802. 1Q  trunks,  and  no  user  configuration  is  required.  The 
external  spanning-tree  behavior  on  access  ports  and  Inter-Switch  Link  (ISL)  trunk  ports  is  not  affected 
by  PVST+. 

For  more  information  on  IEEE  802. 1Q  trunks,  see  Chapter  9,  "Configuring  VLANs." 

Configuring  Spanning-Tree  Features 

These  sections  contain  this  configuration  information: 

•  Default  Spanning-Tree  Configuration,  page  12-11 

•  Spanning-Tree  Configuration  Guidelines,  page  12-12 

•  Changing  the  Spanning-Tree  Mode.,  page  12-13  (required) 
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•  Disabling  Spanning  Tree,  page  12-14  (optional) 

•  Configuring  the  Root  Switch,  page  12-14  (optional) 

•  Configuring  a  Secondary  Root  Switch,  page  12-16  (optional) 

•  Configuring  Port  Priority,  page  12-16  (optional) 

•  Configuring  Path  Cost,  page  12-18  (optional) 

•  Configuring  the  Switch  Priority  of  a  VLAN,  page  12-19  (optional) 

•  Configuring  Spanning-Tree  Timers,  page  12-20  (optional) 

Default  Spanning-Tree  Configuration 


Table  12-3  shows  the  default  spanning-tree  configuration. 
Table  12-3         Default  Spanning-Tree  Configuration 


Feature 

Default  Setting 

Enable  state 

Enabled  on  VLAN  1. 

For  more  information,  see  the  "Supported 
Spanning-Tree  Instances"  section  on 
page  12-9. 

Spanning-tree  mode 

PVST+.  (Rapid  PVST+  and  MSTP  are 
disabled.) 

Switch  priority 

32768. 

Spanning-tree  port  priority  (configurable  on  a  per-interface  basis) 

128. 

Spanning-tree  port  cost  (configurable  on  a  per-interface  basis) 

1000  Mb/s:  4. 
100  Mb/s:  19. 
10  Mb/s:  100. 

Spanning-tree  VLAN  port  priority  (configurable  on  a  per- VLAN  basis) 

128. 

Spanning-tree  VLAN  port  cost  (configurable  on  a  per-VLAN  basis) 

1000  Mb/s:  4. 
100  Mb/s:  19. 
10  Mb/s:  100. 

Spanning-tree  timers 

Hello  time:  2  seconds. 
Forward-delay  time:  15  seconds. 
Maximum-aging  time:  20  seconds. 
Transmit  hold  count:  6  BPDUs 
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Spanning-Tree  Configuration  Guidelines 

If  more  VLANs  are  defined  in  the  VTP  than  there  are  spanning-tree  instances,  you  can  enable  PVST+ 
or  rapid  PVST+  on  only  128  VLANs  on  the  switch.  The  remaining  VLANs  operate  with  spanning  tree 
disabled.  However,  you  can  map  multiple  VLANs  to  the  same  spanning-tree  instances  by  using  MSTP. 
For  more  information,  see  Chapter  13,  "Configuring  MSTP." 

If  128  instances  of  spanning  tree  are  already  in  use,  you  can  disable  spanning  tree  on  one  of  the  VLANs 
and  then  enable  it  on  the  VLAN  where  you  want  it  to  run.  Use  the  no  spanning-tree  vlan  vlan-id  global 
configuration  command  to  disable  spanning  tree  on  a  specific  VLAN,  and  use  the  spanning-tree  vlan 
vlan-id  global  configuration  command  to  enable  spanning  tree  on  the  desired  VLAN. 

A   

Caution      Switches  that  are  not  running  spanning  tree  still  forward  BPDUs  that  they  receive  so  that  the  other 

switches  on  the  VLAN  that  have  a  running  spanning-tree  instance  can  break  loops.  Therefore,  spanning 
tree  must  be  running  on  enough  switches  to  break  all  the  loops  in  the  network;  for  example,  at  least  one 
switch  on  each  loop  in  the  VLAN  must  be  running  spanning  tree.  It  is  not  absolutely  necessary  to  run 
spanning  tree  on  all  switches  in  the  VLAN.  However,  if  you  are  running  spanning  tree  only  on  a  minimal 
set  of  switches,  an  incautious  change  to  the  network  that  introduces  another  loop  into  the  VLAN  can 
result  in  a  broadcast  storm. 


N   

Note      If  you  have  already  used  all  available  spanning-tree  instances  on  your  switch,  adding  another  VLAN 
anywhere  in  the  VTP  domain  creates  a  VLAN  that  is  not  running  spanning  tree  on  that  switch.  If  you 
have  the  default  allowed  list  on  the  trunk  ports  of  that  switch,  the  new  VLAN  is  carried  on  all  trunk  ports. 
Depending  on  the  topology  of  the  network,  this  could  create  a  loop  in  the  new  VLAN  that  will  not  be 
broken,  particularly  if  there  are  several  adjacent  switches  that  have  all  run  out  of  spanning-tree  instances. 
You  can  prevent  this  possibility  by  setting  up  allowed  lists  on  the  trunk  ports  of  switches  that  have  used 
up  their  allocation  of  spanning-tree  instances.  Setting  up  allowed  lists  is  not  necessary  in  many  cases  and 
can  make  it  more  labor-intensive  to  add  another  VLAN  to  the  network. 


Spanning-tree  commands  control  the  configuration  of  VLAN  spanning-tree  instances.  You  create  a 
spanning-tree  instance  when  you  assign  an  interface  to  a  VLAN.  The  spanning-tree  instance  is  removed 
when  the  last  interface  is  moved  to  another  VLAN.  You  can  configure  switch  and  port  parameters  before 
a  spanning-tree  instance  is  created;  these  parameters  are  applied  when  the  spanning-tree  instance  is 
created. 

The  switch  supports  PVST+,  rapid  PVST+,  and  MSTP,  but  only  one  version  can  be  active  at  any  time. 
(For  example,  all  VLANs  run  PVST+,  all  VLANs  run  rapid  PVST+,  or  all  VLANs  run  MSTP.)  For 
information  about  the  different  spanning-tree  modes  and  how  they  interoperate,  see  the  "Spanning-Tree 
Interoperability  and  Backward  Compatibility"  section  on  page  12-10. 

For  configuration  guidelines  about  UplinkFast  and  BackboneFast,  see  the  "Optional  Spanning-Tree 
Configuration  Guidelines"  section  on  page  14-10. 

A   

Caution      Loop  guard  works  only  on  point-to-point  links.  We  recommend  that  each  end  of  the  link  has  a  directly 
connected  device  that  is  running  STP. 
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Changing  the  Spanning-Tree  Mode. 

The  switch  supports  three  spanning-tree  modes:  PVST+,  rapid  PVST+,  or  MSTP.  By  default,  the  switch 
runs  the  PVST+  protocol. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  change  the  spanning-tree  mode.  If  you  want 
to  enable  a  mode  that  is  different  from  the  default  mode,  this  procedure  is  required. 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

Step  2     spanning-tree  mode  {pvst  1  mst  1 
rapid-pvst} 

Configure  a  spanning-tree  mode. 

•  Select  pvst  to  enable  PVST+  (the  default  setting). 

•  Select  mst  to  enable  MSTP  (and  RSTP).  For  more  configuration 
steps,  see  Chapter  13,  "Configuring  MSTP." 

•  Select  rapid-pvst  to  enable  rapid  PVST+. 

Step  3     interface  interface-id 

(Recommended  for  rapid-PVST+  mode  only)  Specify  an  interface  to 
configure,  and  enter  interface  configuration  mode.  Valid  interfaces 
include  physical  ports,  VLANs,  and  port  channels.  The  VLAN  ID  range 
is  1  to  4094.  The  port-channel  range  is  1  to  48. 

Step  4     spanning-tree  link-type  point-to-point 

(Recommended  for  rapid-PVST+  mode  only)  Specify  that  the  link  type 
for  this  port  is  point-to-point. 

If  you  connect  this  port  (local  port)  to  a  remote  port  through  a 
point-to-point  link  and  the  local  port  becomes  a  designated  port,  the 
switch  negotiates  with  the  remote  port  and  rapidly  changes  the  local 
port  to  the  forwarding  state. 

Step  5  end 

Return  to  privileged  EXEC  mode. 

Step  6     clear  spanning-tree  detected-protocols 

(Recommended  for  rapid-PVST+  mode  only)  If  any  port  on  the  switch 
is  connected  to  a  port  on  a  legacy  IEEE  802. ID  switch,  restart  the 
protocol  migration  process  on  the  entire  switch. 

This  step  is  optional  if  the  designated  switch  detects  that  this  switch  is 
running  rapid  PVST+. 

Step  7     show  spanning-tree  summary 

and 

show  spanning-tree  interface 

interface-id 

Verify  your  entries. 

Step  8     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  spanning-tree  mode  global  configuration  command.  To 
return  the  port  to  its  default  setting,  use  the  no  spanning-tree  link-type  interface  configuration 
command. 
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Disabling  Spanning  Tree 

Spanning  tree  is  enabled  by  default  on  VLAN  1  and  on  all  newly  created  VLANs  up  to  the  spanning-tree 
limit  specified  in  the  "Supported  Spanning-Tree  Instances"  section  on  page  12-9.  Disable  spanning  tree 
only  if  you  are  sure  there  are  no  loops  in  the  network  topology. 

A   

Caution      When  spanning  tree  is  disabled  and  loops  are  present  in  the  topology,  excessive  traffic  and  indefinite 
packet  duplication  can  drastically  reduce  network  performance. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  spanning-tree  on  a  per- VLAN  basis. 
This  procedure  is  optional. 


Step  1 
Step  2 
Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

no  spanning-tree  vlan  vlan-id 

For  vlan-id,  the  range  is  1  to  4094. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  vlan  vlan-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  re-enable  spanning-tree,  use  the  spanning-tree  vlan  vlan-id  global  configuration  command. 


Configuring  the  Root  Switch 

The  switch  maintains  a  separate  spanning-tree  instance  for  each  active  VLAN  configured  on  it.  A  bridge 
ID,  consisting  of  the  switch  priority  and  the  switch  MAC  address,  is  associated  with  each  instance.  For 
each  VLAN,  the  switch  with  the  lowest  bridge  ID  becomes  the  root  switch  for  that  VLAN. 

To  configure  a  switch  to  become  the  root  for  the  specified  VLAN,  use  the  spanning-tree  vlan  vlan-id 
root  global  configuration  command  to  modify  the  switch  priority  from  the  default  value  (32768)  to  a 
significantly  lower  value.  When  you  enter  this  command,  the  software  checks  the  switch  priority  of  the 
root  switches  for  each  VLAN.  Because  of  the  extended  system  ID  support,  the  switch  sets  its  own 
priority  for  the  specified  VLAN  to  24576  if  this  value  will  cause  this  switch  to  become  the  root  for  the 
specified  VLAN. 

If  any  root  switch  for  the  specified  VLAN  has  a  switch  priority  lower  than  24576,  the  switch  sets  its  own 
priority  for  the  specified  VLAN  to  4096  less  than  the  lowest  switch  priority.  (4096  is  the  value  of  the 
least-significant  bit  of  a  4-bit  switch  priority  value  as  shown  in  Table  12-1  on  page  12-4.) 

X   

Note      The  spanning-tree  vlan  vlan-id  root  global  configuration  command  fails  if  the  value  necessary  to  be 
the  root  switch  is  less  than  1. 


X   

Note      If  your  network  consists  of  switches  that  both  do  and  do  not  support  the  extended  system  ID,  it  is 

unlikely  that  the  switch  with  the  extended  system  ID  support  will  become  the  root  switch.  The  extended 
system  ID  increases  the  switch  priority  value  every  time  the  VLAN  number  is  greater  than  the  priority 
of  the  connected  switches  running  older  software. 
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Note      The  root  switch  for  each  spanning-tree  instance  should  be  a  backbone  or  distribution  switch.  Do  not 
configure  an  access  switch  as  the  spanning-tree  primary  root. 


Use  the  diameter  keyword  to  specify  the  Layer  2  network  diameter  (that  is,  the  maximum  number  of 
switch  hops  between  any  two  end  stations  in  the  Layer  2  network).  When  you  specify  the  network 
diameter,  the  switch  automatically  sets  an  optimal  hello  time,  forward-delay  time,  and  maximum-age 
time  for  a  network  of  that  diameter,  which  can  significantly  reduce  the  convergence  time.  You  can  use 
the  hello  keyword  to  override  the  automatically  calculated  hello  time. 


Note      After  configuring  the  switch  as  the  root  switch,  we  recommend  that  you  avoid  manually  configuring  the 
hello  time,  forward-delay  time,  and  maximum-age  time  through  the  spanning-tree  vlan  vlan-id 
hello-time,  spanning-tree  vlan  vlan-id  forward-time,  and  the  spanning-tree  vlan  vlan-id  max-age 
global  configuration  commands. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  switch  to  become  the  root  for  the 
specified  VLAN.  This  procedure  is  optional. 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  vlan  vlan-id  root  primary 
[diameter  net-diameter  [hello-time  seconds]] 

Configure  a  switch  to  become  the  root  for  the  specified  VLAN. 

•  For  vlan-id,  you  can  specify  a  single  VLAN  identified  by 
VLAN  ID  number,  a  range  of  VLANs  separated  by  a 
hyphen,  or  a  series  of  VLANs  separated  by  a  comma.  The 
range  is  1  to  4094. 

•  (Optional)  For  diameter  net-diameter,  specify  the 
maximum  number  of  switches  between  any  two  end 
stations.  The  range  is  2  to  7. 

•  (Optional)  For  hello-time  seconds,  specify  the  interval  in 
seconds  between  the  generation  of  configuration  messages 
by  the  root  switch.  The  range  is  1  to  10;  the  default  is  2. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  detail 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  spanning-tree  vlan  vlan-id  root  global  configuration 
command. 
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Configuring  a  Secondary  Root  Switch 

When  you  configure  a  switch  as  the  secondary  root,  the  switch  priority  is  modified  from  the  default  value 
(32768)  to  28672.  The  switch  is  then  likely  to  become  the  root  switch  for  the  specified  VLAN  if  the 
primary  root  switch  fails.  This  is  assuming  that  the  other  network  switches  use  the  default  switch  priority 
of  32768  and  therefore  are  unlikely  to  become  the  root  switch. 

You  can  execute  this  command  on  more  than  one  switch  to  configure  multiple  backup  root  switches.  Use 
the  same  network  diameter  and  hello-time  values  that  you  used  when  you  configured  the  primary  root 
switch  with  the  spanning-tree  vlan  vlan-id  root  primary  global  configuration  command. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  switch  to  become  the  secondary 
root  for  the  specified  VLAN.  This  procedure  is  optional. 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

Step  2     spanning-tree  vlan  vlan-id  root  secondary 
[diameter  net-diameter  [hello-time 

seconds]] 

Configure  a  switch  to  become  the  secondary  root  for  the  specified 
VLAN. 

•  For  vlan-id,  you  can  specify  a  single  VLAN  identified  by  VLAN 
ID  number,  a  range  of  VLANs  separated  by  a  hyphen,  or  a  series 
of  VLANs  separated  by  a  comma.  The  range  is  1  to  4094. 

•  (Optional)  For  diameter  net-diameter,  specify  the  maximum 
number  of  switches  between  any  two  end  stations.  The  range  is 
2  to  7. 

•  (Optional)  For  hello-time  seconds,  specify  the  interval  in 
seconds  between  the  generation  of  configuration  messages  by 
the  root  switch.  The  range  is  1  to  10;  the  default  is  2. 

Use  the  same  network  diameter  and  hello-time  values  that  you  used 
when  configuring  the  primary  root  switch.  See  the  "Configuring  the 
Root  Switch"  section  on  page  12-14. 

Step  3  end 

Return  to  privileged  EXEC  mode. 

Step  4     show  spanning-tree  detail 

Verify  your  entries. 

Step  5     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  spanning-tree  vlan  vlan-id  root  global  configuration 
command. 


Configuring  Port  Priority 

If  a  loop  occurs,  spanning  tree  uses  the  port  priority  when  selecting  an  interface  to  put  into  the 
forwarding  state.  You  can  assign  higher  priority  values  (lower  numerical  values)  to  interfaces  that  you 
want  selected  first  and  lower  priority  values  (higher  numerical  values)  that  you  want  selected  last.  If  all 
interfaces  have  the  same  priority  value,  spanning  tree  puts  the  interface  with  the  lowest  interface  number 
in  the  forwarding  state  and  blocks  the  other  interfaces. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  port  priority  of  an  interface. 
This  procedure  is  optional. 


Step  1 
Step  2 


Step  3 


Step  4 


Step  5 
Step  6 


Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  an  interface  to  configure,  and  enter  interface 
configuration  mode. 

Valid  interfaces  include  physical  ports  and  port-channel 
logical  interfaces  (port-channel  port-channel-number) . 

spanning-tree  port-priority  priority 

Configure  the  port  priority  for  an  interface. 

For  priority,  the  range  is  0  to  240,  in  increments  of  16;  the 
default  is  128.  Valid  values  are  0,  16,  32,  48,  64,  80,  96, 
112,  128,  144,  160,  176,  192,  208,  224,  and  240.  All  other 
values  are  rejected.  The  lower  the  number,  the  higher  the 
priority. 

spanning-tree  vlan  vlan-id  port-priority  priority 

Configure  the  port  priority  for  a  VLAN. 

•  For  vlan-id,  you  can  specify  a  single  VLAN  identified 
by  VLAN  ID  number,  a  range  of  VLANs  separated  by 
a  hyphen,  or  a  series  of  VLANs  separated  by  a  comma. 
The  range  is  1  to  4094. 

•  For  priority,  the  range  is  0  to  240,  in  increments  of  16; 
the  default  is  128.  Valid  values  are  0,  16,  32,  48,  64, 
80,  96,  112,  128,  144,  160,  176,  192,  208,  224,  and 
240.  All  other  values  are  rejected.  The  lower  the 
number,  the  higher  the  priority. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  interface  interface-id 
or 

show  spanning-tree  vlan  vlan-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Note 


The  show  spanning-tree  interface  interface-id  privileged  EXEC  command  displays  information  only 
if  the  port  is  in  a  link-up  operative  state.  Otherwise,  you  can  use  the  show  running-config  interface 
privileged  EXEC  command  to  confirm  the  configuration. 


To  return  to  the  default  setting,  use  the  no  spanning-tree  [vlan  vlan-id]  port-priority  interface 
configuration  command.  For  information  on  how  to  configure  load  sharing  on  trunk  ports  by  using 
spanning-tree  port  priorities,  see  the  "Configuring  Trunk  Ports  for  Load  Sharing"  section  on  page  9-22. 
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Configuring  Path  Cost 

The  spanning-tree  path  cost  default  value  is  derived  from  the  media  speed  of  an  interface.  If  a  loop 
occurs,  spanning  tree  uses  cost  when  selecting  an  interface  to  put  in  the  forwarding  state.  You  can  assign 
lower  cost  values  to  interfaces  that  you  want  selected  first  and  higher  cost  values  that  you  want  selected 
last.  If  all  interfaces  have  the  same  cost  value,  spanning  tree  puts  the  interface  with  the  lowest  interface 
number  in  the  forwarding  state  and  blocks  the  other  interfaces. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  cost  of  an  interface.  This 
procedure  is  optional. 


Step  1 
Step  2 


Step  3 


Step  5 
Step  6 


Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  an  interface  to  configure,  and  enter  interface 
configuration  mode.  Valid  interfaces  include  physical  ports  and 
port-channel  logical  interfaces  (port-channel 

port-channel-number). 

spanning-tree  cost  cost 

Configure  the  cost  for  an  interface. 

If  a  loop  occurs,  spanning  tree  uses  the  path  cost  when  selecting 
an  interface  to  place  into  the  forwarding  state.  A  lower  path  cost 
represents  higher-speed  transmission. 

For  cost,  the  range  is  1  to  200000000;  the  default  value  is  derived 

11  Ulll  L11C  lllCLllcl  SUCCU  Ul  L11C  111  LCI  IdlC, 

snaiiniTi^-trpp  vlan  vlon-id  cost  cost 

C^onfi P"iirp  thp  rost  for  z\  VI  AN 

If  a  loop  occurs,  spanning  tree  uses  the  path  cost  when  selecting 
an  interface  to  place  into  the  forwarding  state.  A  lower  path  cost 
represents  higher-speed  transmission. 

•  For  vlan-id,  you  can  specify  a  single  VLAN  identified  by 
VLAN  ID  number,  a  range  of  VLANs  separated  by  a  hyphen, 
or  a  series  of  VLANs  separated  by  a  comma.  The  range  is  1 
to  4094. 

•  For  cost,  the  range  is  1  to  200000000;  the  default  value  is 
derived  from  the  media  speed  of  the  interface. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  interface  interface-id 
or 

show  spanning-tree  vlan  vlan-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Note 


The  show  spanning-tree  interface  interface-id  privileged  EXEC  command  displays  information  only 
for  ports  that  are  in  a  link-up  operative  state.  Otherwise,  you  can  use  the  show  running-config 
privileged  EXEC  command  to  confirm  the  configuration. 
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To  return  to  the  default  setting,  use  the  no  spanning-tree  [vlan  vlan-id]  cost  interface  configuration 
command.  For  information  on  how  to  configure  load  sharing  on  trunk  ports  by  using  spanning-tree  path 
costs,  see  the  "Configuring  Trunk  Ports  for  Load  Sharing"  section  on  page  9-22. 

Configuring  the  Switch  Priority  of  a  VLAN 

You  can  configure  the  switch  priority  and  make  it  more  likely  that  the  switch  will  be  chosen  as  the 
root  switch. 

X   

Note      Exercise  care  when  using  this  command.  For  most  situations,  we  recommend  that  you  use  the 

spanning-tree  vlan  vlan-id  root  primary  and  the  spanning-tree  vlan  vlan-id  root  secondary  global 

configuration  commands  to  modify  the  switch  priority. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  priority  of  a  VLAN. 
This  procedure  is  optional. 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  vlan  vlan-id  priority  priority 

Configure  the  switch  priority  of  a  VLAN. 

•  For  vlan-id,  you  can  specify  a  single  VLAN  identified  by 
VLAN  ID  number,  a  range  of  VLANs  separated  by  a 
hyphen,  or  a  series  of  VLANs  separated  by  a  comma.  The 
range  is  1  to  4094. 

•  For  priority,  the  range  is  0  to  61440  in  increments  of 
4096;  the  default  is  32768.  The  lower  the  number,  the 
more  likely  the  switch  will  be  chosen  as  the  root  switch. 

Valid  priority  values  are  4096,  8192,  12288,  16384, 
20480,  24576,  28672,  32768,  36864,  40960,  45056, 
49152,  53248,  57344,  and  61440.  All  other  values  are 
rejected. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  vlan  vlan-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  spanning-tree  vlan  vlan-id  priority  global  configuration 
command. 
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Configuring  Spanning-Tree  Timers 


Table  12-4  describes  the  timers  that  affect  the  entire  spanning-tree  performance. 
Table  12-4  Spanning-Tree  Timers 


Variable 

Description 

Hello  timer 

Controls  how  often  the  switch  broadcasts  hello  messages  to  other  switches. 

Forward-delay  timer 

Controls  how  long  each  of  the  listening  and  learning  states  last  before  the  interface  begins 
forwarding. 

Maximum-age  timer 

Controls  the  amount  of  time  the  switch  stores  protocol  information  received  on  an  interface. 

Transmit  hold  count 

Controls  the  number  of  BPDUs  that  can  be  sent  before  pausing  for  1  second. 

The  sections  that  follow  provide  the  configuration  steps. 


Configuring  the  Hello  Time 

You  can  configure  the  interval  between  the  generation  of  configuration  messages  by  the  root  switch  by 
changing  the  hello  time. 

X   

Note      Exercise  care  when  using  this  command.  For  most  situations,  we  recommend  that  you  use  the 

spanning-tree  vlan  vlan-id  root  primary  and  the  spanning-tree  vlan  vlan-id  root  secondary  global 
configuration  commands  to  modify  the  hello  time. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  hello  time  of  a  VLAN.  This 
procedure  is  optional. 


Step  1 
Step  2 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  vlan  vlan-id  hello-time  seconds 

Configure  the  hello  time  of  a  VLAN.  The  hello  time  is  the 
interval  between  the  generation  of  configuration  messages  by 
the  root  switch.  These  messages  mean  that  the  switch  is  alive. 

•  For  vlan-id,  you  can  specify  a  single  VLAN  identified  by 
VLAN  ID  number,  a  range  of  VLANs  separated  by  a 
hyphen,  or  a  series  of  VLANs  separated  by  a  comma.  The 
range  is  1  to  4094. 

•  For  seconds,  the  range  is  1  to  10;  the  default  is  2. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  vlan  vlan-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  3 
Step  4 


To  return  to  the  default  setting,  use  the  no  spanning-tree  vlan  vlan-id  hello-time  global  configuration 
command. 
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Configuring  the  Forwarding-Delay  Time  for  a  VLAN 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  forwarding-delay  time  for  a 
VLAN.  This  procedure  is  optional. 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  vlan  vlan-id  forward-time 

seconds 

Configure  the  forward  time  of  a  VLAN.  The  forward  delay  is  the 
number  of  seconds  an  interface  waits  before  changing  from  its 
spanning-tree  learning  and  listening  states  to  the  forwarding  state. 

•  For  vlan-id,  you  can  specify  a  single  VLAN  identified  by 
VLAN  ID  number,  a  range  of  VLANs  separated  by  a  hyphen, 
or  a  series  of  VLANs  separated  by  a  comma.  The  range  is  1  to 
4094. 

•  For  seconds,  the  range  is  4  to  30;  the  default  is  15. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  vlan  vlan-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  spanning-tree  vlan  vlan-id  forward-time  global 
configuration  command. 


Configuring  the  Maximum-Aging  Time  for  a  VLAN 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  maximum-aging  time  for  a 
VLAN.  This  procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  vlan  vlan-id  max-age  seconds 

Configure  the  maximum-aging  time  of  a  VLAN.  The 
maximum-aging  time  is  the  number  of  seconds  a  switch  waits 
without  receiving  spanning-tree  configuration  messages  before 
attempting  a  reconfiguration. 

•  For  vlan-id,  you  can  specify  a  single  VLAN  identified  by 
VLAN  ID  number,  a  range  of  VLANs  separated  by  a 
hyphen,  or  a  series  of  VLANs  separated  by  a  comma.  The 
range  is  1  to  4094. 

•  For  seconds,  the  range  is  6  to  40;  the  default  is  20. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  vlan  vlan-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


To  return  to  the  default  setting,  use  the  no  spanning-tree  vlan  vlan-id  max-age  global  configuration 
command. 
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Configuring  the  Transmit  Hold-Count 

You  can  configure  the  BPDU  burst  size  by  changing  the  transmit  hold  count  value. 


Note      Changing  this  parameter  to  a  higher  value  can  have  a  significant  impact  on  CPU  utilization,  especially 
in  Rapid-PVST  mode.  Lowering  this  value  can  slow  down  convergence  in  certain  scenarios.  We 
recommend  that  you  maintain  the  default  setting. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  transmit  hold-count.  This 
procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  transmit  hold-count  value 

Configure  the  number  of  BPDUs  that  can  be  sent  before  pausing 
for  1  second. 

For  value,  the  range  is  1  to  20;  the  default  is  6. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  detail 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  3 


To  return  to  the  default  setting,  use  the  no  spanning-tree  transmit  hold-count  value,  global 
configuration  command. 


Displaying  the  Spanning-Tree  Status 

To  display  the  spanning-tree  status,  use  one  or  more  of  the  privileged  EXEC  commands  in  Table  12-5: 
Table  12-5  Commands  for  Displaying  Spanning-Tree  Status 


Command 

Purpose 

show  spanning-tree  active 

Displays  spanning-tree  information  on  active  interfaces  only. 

show  spanning-tree  detail 

Displays  a  detailed  summary  of  interface  information. 

show  spanning-tree  interface  interface-id 

Displays  spanning-tree  information  for  the  specified  interface. 

show  spanning-tree  summary  [totals] 

Displays  a  summary  of  interface  states  or  displays  the  total  lines  of  the  STP 
state  section. 

You  can  clear  spanning-tree  counters  by  using  the  clear  spanning-tree  [interface  interface-id] 
privileged  EXEC  command. 

For  information  about  other  keywords  for  the  show  spanning-tree  privileged  EXEC  command,  see  the 
command  reference  for  this  release. 
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Configuring  MSTP 


This  chapter  describes  how  to  configure  the  Cisco  implementation  of  the  IEEE  802.1s  Multiple 
STP  (MSTP)  on  the  switch. 

^   

Note      The  multiple  spanning-tree  (MST)  implementation  in  Cisco  IOS  Release  12.2(25)SEDis  based  on  the 
IEEE  802.1s  standard. The  MST  implementations  in  earlier  Cisco  IOS  releases  are  prestandard. 


The  MSTP  enables  multiple  VLANs  to  be  mapped  to  the  same  spanning-tree  instance,  reducing  the 
number  of  spanning-tree  instances  needed  to  support  a  large  number  of  VLANs.  The  MSTP  provides  for 
multiple  forwarding  paths  for  data  traffic  and  enables  load  balancing.  It  improves  the  fault  tolerance  of 
the  network  because  a  failure  in  one  instance  (forwarding  path)  does  not  affect  other  instances 
(forwarding  paths).  The  most  common  initial  deployment  of  MSTP  is  in  the  backbone  and  distribution 
layers  of  a  Layer  2  switched  network.  This  deployment  provides  the  highly  available  network  required 
in  a  service-provider  environment. 

When  the  switch  is  in  the  MST  mode,  the  Rapid  Spanning  Tree  Protocol  (RSTP),  which  is  based  on 
IEEE  802.  lw,  is  automatically  enabled.  The  RSTP  provides  rapid  convergence  of  the  spanning  tree 
through  explicit  handshaking  that  eliminates  the  IEEE  802.  ID  forwarding  delay  and  quickly  transitions 
root  ports  and  designated  ports  to  the  forwarding  state. 

Both  MSTP  and  RSTP  improve  the  spanning-tree  operation  and  maintain  backward  compatibility  with 
equipment  that  is  based  on  the  (original)  IEEE  802.  ID  spanning  tree,  with  existing  Cisco-proprietary 
Multiple  Instance  STP  (MISTP),  and  with  existing  Cisco  per-VLAN  spanning-tree  plus  (PVST+)  and 
rapid  per-VLAN  spanning-tree  plus  (rapid  PVST+).  For  information  about  PVST+  and  rapid  PVST+, 
see  Chapter  12,  "Configuring  STP."  For  information  about  other  spanning-tree  features  such  as  Port 
Fast,  UplinkFast,  root  guard,  and  so  forth,  see  Chapter  14,  "Configuring  Optional  Spanning-Tree 
Features." 

V   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

This  chapter  consists  of  these  sections: 

•  Understanding  MSTP,  page  13-2 

•  Understanding  RSTP,  page  13-8 

•  Configuring  MSTP  Features,  page  13-14 

•  Displaying  the  MST  Configuration  and  Status,  page  13-26 
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Understanding  MSTP 

MSTP,  which  uses  RSTP  for  rapid  convergence,  enables  VLANs  to  be  grouped  into  a  spanning-tree 
instance,  with  each  instance  having  a  spanning-tree  topology  independent  of  other  spanning-tree 
instances.  This  architecture  provides  multiple  forwarding  paths  for  data  traffic,  enables  load  balancing, 
and  reduces  the  number  of  spanning-tree  instances  required  to  support  a  large  number  of  VLANs. 

These  sections  describe  how  the  MSTP  works: 

•  Multiple  Spanning-Tree  Regions,  page  13-2 

•  1ST,  CIST,  and  CST,  page  13-3 

•  Hop  Count,  page  13-5 

•  Boundary  Ports,  page  13-6 

•  IEEE  802.1s  Implementation,  page  13-6 

•  Interoperability  with  IEEE  802.1D  STP,  page  13-8 

For  configuration  information,  see  the  "Configuring  MSTP  Features"  section  on  page  13-14. 

Multiple  Spanning-Tree  Regions 

For  switches  to  participate  in  multiple  spanning-tree  (MST)  instances,  you  must  consistently  configure 
the  switches  with  the  same  MST  configuration  information.  A  collection  of  interconnected  switches  that 
have  the  same  MST  configuration  comprises  an  MST  region  as  shown  in  Figure  13-1  on  page  13-4. 

The  MST  configuration  controls  to  which  MST  region  each  switch  belongs.  The  configuration  includes 
the  name  of  the  region,  the  revision  number,  and  the  MST  VLAN-to-instance  assignment  map.  You 
configure  the  switch  for  a  region  by  using  the  spanning-tree  mst  configuration  global  configuration 
command,  after  which  the  switch  enters  the  MST  configuration  mode.  From  this  mode,  you  can  map 
VLANs  to  an  MST  instance  by  using  the  instance  MST  configuration  command,  specify  the  region 
name  by  using  the  name  MST  configuration  command,  and  set  the  revision  number  by  using  the 
revision  MST  configuration  command. 

A  region  can  have  one  or  multiple  members  with  the  same  MST  configuration.  Each  member  must  be 
capable  of  processing  RSTP  bridge  protocol  data  units  (BPDUs).  There  is  no  limit  to  the  number  of  MST 
regions  in  a  network,  but  each  region  can  support  up  to  65  spanning-tree  instances.  Instances  can  be 
identified  by  any  number  in  the  range  from  0  to  4094.  You  can  assign  a  VLAN  to  only  one  spanning-tree 
instance  at  a  time. 
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1ST,  CIST,  and  CST 

Unlike  PVST+  and  rapid  PVST+  in  which  all  the  spanning-tree  instances  are  independent,  the  MSTP 
establishes  and  maintains  two  types  of  spanning  trees: 

•  An  internal  spanning  tree  (1ST),  which  is  the  spanning  tree  that  runs  in  an  MST  region. 

Within  each  MST  region,  the  MSTP  maintains  multiple  spanning-tree  instances.  Instance  0  is  a 
special  instance  for  a  region,  known  as  the  internal  spanning  tree  (1ST).  All  other  MST  instances  are 
numbered  from  1  to  4094. 

The  1ST  is  the  only  spanning-tree  instance  that  sends  and  receives  BPDUs.  All  of  the  other 
spanning-tree  instance  information  is  contained  in  M-records,  which  are  encapsulated  within  MSTP 
BPDUs.  Because  the  MSTP  BPDU  carries  information  for  all  instances,  the  number  of  BPDUs  that 
need  to  be  processed  to  support  multiple  spanning-tree  instances  is  significantly  reduced. 

All  MST  instances  within  the  same  region  share  the  same  protocol  timers,  but  each  MST  instance 
has  its  own  topology  parameters,  such  as  root  switch  ID,  root  path  cost,  and  so  forth.  By  default,  all 
VLANs  are  assigned  to  the  1ST. 

An  MST  instance  is  local  to  the  region;  for  example,  MST  instance  1  in  region  A  is  independent  of 
MST  instance  1  in  region  B,  even  if  regions  A  and  B  are  interconnected. 

•  A  common  and  internal  spanning  tree  (CIST),  which  is  a  collection  of  the  ISTs  in  each  MST  region, 
and  the  common  spanning  tree  (CST)  that  interconnects  the  MST  regions  and  single  spanning  trees. 

The  spanning  tree  computed  in  a  region  appears  as  a  subtree  in  the  CST  that  encompasses  the  entire 
switched  domain.  The  CIST  is  formed  by  the  spanning-tree  algorithm  running  among  switches  that 
support  the  IEEE  802. lw,  IEEE  802.1s,  and  IEEE  802.  ID  standards.  The  CIST  inside  an  MST 
region  is  the  same  as  the  CST  outside  a  region. 

For  more  information,  see  the  "Operations  Within  an  MST  Region"  section  on  page  13-3  and  the 
"Operations  Between  MST  Regions"  section  on  page  13-4. 

%   

Note      The  implementation  of  the  IEEE  802. 1  s  standard,  changes  some  of  the  terminology  associated  with  MST 
implementations.  For  a  summary  of  these  changes,  see  Table  12-1  on  page  12-4. 


Operations  Within  an  MST  Region 

The  1ST  connects  all  the  MSTP  switches  in  a  region.  When  the  1ST  converges,  the  root  of  the  1ST 
becomes  the  CIST  regional  root  (called  the  1ST  master  before  the  implementation  of  the  IEEE  802.1s 
standard)  as  shown  in  Figure  13-1  on  page  13-4.  It  is  the  switch  within  the  region  with  the  lowest  switch 
ID  and  path  cost  to  the  CIST  root.  The  CIST  regional  root  is  also  the  CIST  root  if  there  is  only  one  region 
in  the  network.  If  the  CIST  root  is  outside  the  region,  one  of  the  MSTP  switches  at  the  boundary  of  the 
region  is  selected  as  the  CIST  regional  root. 

When  an  MSTP  switch  initializes,  it  sends  BPDUs  claiming  itself  as  the  root  of  the  CIST  and  the  CIST 
regional  root,  with  both  of  the  path  costs  to  the  CIST  root  and  to  the  CIST  regional  root  set  to  zero.  The 
switch  also  initializes  all  of  its  MST  instances  and  claims  to  be  the  root  for  all  of  them.  If  the  switch 
receives  superior  MST  root  information  (lower  switch  ID,  lower  path  cost,  and  so  forth)  than  currently 
stored  for  the  port,  it  relinquishes  its  claim  as  the  CIST  regional  root. 

During  initialization,  a  region  might  have  many  subregions,  each  with  its  own  CIST  regional  root.  As 
switches  receive  superior  1ST  information,  they  leave  their  old  subregions  and  join  the  new  subregion 
that  contains  the  true  CIST  regional  root.  Thus  all  subregions  shrink,  except  for  the  one  that  contains  the 
true  CIST  regional  root. 
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For  correct  operation,  all  switches  in  the  MST  region  must  agree  on  the  same  CIST  regional  root. 
Therefore,  any  two  switches  in  the  region  only  synchronize  their  port  roles  for  an  MST  instance  if  they 
converge  to  a  common  CIST  regional  root. 

Operations  Between  MST  Regions 

If  there  are  multiple  regions  or  legacy  IEEE  802.  ID  switches  within  the  network,  MSTP  establishes  and 
maintains  the  CST,  which  includes  all  MST  regions  and  all  legacy  STP  switches  in  the  network.  The 
MST  instances  combine  with  the  1ST  at  the  boundary  of  the  region  to  become  the  CST. 

The  1ST  connects  all  the  MSTP  switches  in  the  region  and  appears  as  a  subtree  in  the  CIST  that 
encompasses  the  entire  switched  domain.  The  root  of  the  subtree  is  the  CIST  regional  root.  The  MST 
region  appears  as  a  virtual  switch  to  adjacent  STP  switches  and  MST  regions. 

Figure  13-1  shows  a  network  with  three  MST  regions  and  a  legacy  IEEE  802.  ID  switch  (D).  The  CIST 
regional  root  for  region  1  (A)  is  also  the  CIST  root.  The  CIST  regional  root  for  region  2  (B)  and  the  CIST 
regional  root  for  region  3  (C)  are  the  roots  for  their  respective  subtrees  within  the  CIST.  The  RSTP  runs 
in  all  regions. 


Figure  13- 1        MST  Regions,  CIST  Masters,  and  CST  Root 


Only  the  CST  instance  sends  and  receives  BPDUs,  and  MST  instances  add  their  spanning-tree 
information  into  the  BPDUs  to  interact  with  neighboring  switches  and  compute  the  final  spanning-tree 
topology.  Because  of  this,  the  spanning-tree  parameters  related  to  BPDU  transmission  (for  example, 
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hello  time,  forward  time,  max-age,  and  max-hops)  are  configured  only  on  the  CST  instance  but  affect 
all  MST  instances.  Parameters  related  to  the  spanning-tree  topology  (for  example,  switch  priority,  port 
VLAN  cost,  and  port  VLAN  priority)  can  be  configured  on  both  the  CST  instance  and  the  MST  instance. 

MSTP  switches  use  Version  3  RSTP  BPDUs  or  IEEE  802. ID  STP  BPDUs  to  communicate  with  legacy 
IEEE  802.  ID  switches.  MSTP  switches  use  MSTP  BPDUs  to  communicate  with  MSTP  switches. 

IEEE  802.1s  Terminology 

Some  MST  naming  conventions  used  in  Cisco's  prestandard  implementation  have  been  changed  to 
identify  some  internal  or  regional  parameters.  These  parameters  are  significant  only  within  an  MST 
region,  as  opposed  to  external  parameters  that  are  relevant  to  the  whole  network.  Because  the  CIST  is 
the  only  spanning-tree  instance  that  spans  the  whole  network,  only  the  CIST  parameters  require  the 
external  rather  than  the  internal  or  regional  qualifiers. 

•  The  CIST  root  is  the  root  switch  for  the  unique  instance  that  spans  the  whole  network,  the  CIST. 

•  The  CIST  external  root  path  cost  is  the  cost  to  the  CIST  root.  This  cost  is  left  unchanged  within  an 
MST  region.  Remember  that  an  MST  region  looks  like  a  single  switch  for  the  CIST.  The  CIST 
external  root  path  cost  is  the  root  path  cost  calculated  between  these  virtual  switches  and  switches 
that  do  not  belong  to  any  region. 

•  The  CIST  regional  root  was  called  the  1ST  master  in  the  prestandard  implementation.  If  the  CIST 
root  is  in  the  region,  the  CIST  regional  root  is  the  CIST  root.  Otherwise,  the  CIST  regional  root  is 
the  closest  switch  to  the  CIST  root  in  the  region.  The  CIST  regional  root  acts  as  a  root  switch  for 
the  1ST. 

•  The  CIST  internal  root  path  cost  is  the  cost  to  the  CIST  regional  root  in  a  region.  This  cost  is  only 
relevant  to  the  1ST,  instance  0. 

Table  13-1  on  page  13-5  compares  the  IEEE  standard  and  the  Cisco  prestandard  terminology. 


Table  13- 1         Prestandard  and  Standard  Terminology 


IEEE  Standard 

Cisco  Prestandard 

Cisco  Standard 

CIST  regional  root 

1ST  master 

CIST  regional  root 

CIST  internal  root  path  cost 

1ST  master  path  cost 

CIST  internal  path  cost 

CIST  external  root  path  cost 

Root  path  cost 

Root  path  cost 

MSTI  regional  root 

Instance  root 

Instance  root 

MSTI  internal  root  path  cost 

Root  path  cost 

Root  path  cost 

Hop  Count 

The  1ST  and  MST  instances  do  not  use  the  message-age  and  maximum-age  information  in  the 
configuration  BPDU  to  compute  the  spanning-tree  topology.  Instead,  they  use  the  path  cost  to  the  root 
and  a  hop-count  mechanism  similar  to  the  IP  time-to-live  (TTL)  mechanism. 

By  using  the  spanning-tree  mst  max-hops  global  configuration  command,  you  can  configure  the 
maximum  hops  inside  the  region  and  apply  it  to  the  1ST  and  all  MST  instances  in  that  region.  The  hop 
count  achieves  the  same  result  as  the  message-age  information  (triggers  a  reconfiguration).  The  root 
switch  of  the  instance  always  sends  a  BPDU  (or  M-record)  with  a  cost  of  0  and  the  hop  count  set  to  the 
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maximum  value.  When  a  switch  receives  this  BPDU,  it  decrements  the  received  remaining  hop  count  by 
one  and  propagates  this  value  as  the  remaining  hop  count  in  the  BPDUs  it  generates.  When  the  count 
reaches  zero,  the  switch  discards  the  BPDU  and  ages  the  information  held  for  the  port. 

The  message-age  and  maximum-age  information  in  the  RSTP  portion  of  the  BPDU  remain  the  same 
throughout  the  region,  and  the  same  values  are  propagated  by  the  region  designated  ports  at  the 
boundary. 

Boundary  Ports 

In  the  Cisco  prestandard  implementation,  a  boundary  port  connects  an  MST  region  to  a  single 
spanning-tree  region  running  RSTP,  to  a  single  spanning-tree  region  running  PVST+  or  rapid  PVST+, 
or  to  another  MST  region  with  a  different  MST  configuration.  A  boundary  port  also  connects  to  a  LAN, 
the  designated  switch  of  which  is  either  a  single  spanning-tree  switch  or  a  switch  with  a  different  MST 
configuration. 

There  is  no  definition  of  a  boundary  port  in  the  IEEE  802.1s  standard.  The  IEEE  802.1Q-2002  standard 
identifies  two  kinds  of  messages  that  a  port  can  receive:  internal  (coming  from  the  same  region)  and 
external.  When  a  message  is  external,  it  is  received  only  by  the  CIST.  If  the  CIST  role  is  root  or  alternate, 
or  if  the  external  BPDU  is  a  topology  change,  it  could  have  an  impact  on  the  MST  instances.  When  a 
message  is  internal,  the  CIST  part  is  received  by  the  CIST,  and  each  MST  instance  receives  its  respective 
M-record.  The  Cisco  prestandard  implementation  treats  a  port  that  receives  an  external  message  as  a 
boundary  port.  This  means  a  port  cannot  receive  a  mix  of  internal  and  external  messages. 

An  MST  region  includes  both  switches  and  LANs.  A  segment  belongs  to  the  region  of  its  designated 
port.  Therefore,  a  port  in  a  different  region  than  the  designated  port  for  a  segment  is  a  boundary  port. 
This  definition  allows  two  ports  internal  to  a  region  to  share  a  segment  with  a  port  belonging  to  a 
different  region,  creating  the  possibility  of  receiving  both  internal  and  external  messages  on  a  port. 

The  primary  change  from  the  Cisco  prestandard  implementation  is  that  a  designated  port  is  not  defined 
as  boundary,  unless  it  is  running  in  an  STP-compatible  mode. 

V   

Note      If  there  is  a  legacy  STP  switch  on  the  segment,  messages  are  always  considered  external. 


The  other  change  from  the  prestandard  implementation  is  that  the  CIST  regional  root  switch  ID  field  is 
now  inserted  where  an  RSTP  or  legacy  IEEE  802. 1Q  switch  has  the  sender  switch  ID.  The  whole  region 
performs  like  a  single  virtual  switch  by  sending  a  consistent  sender  switch  ID  to  neighboring  switches. 
In  this  example,  switch  C  would  receive  a  BPDU  with  the  same  consistent  sender  switch  ID  of  root, 
whether  or  not  A  or  B  is  designated  for  the  segment. 

IEEE  802.1s  Implementation 

The  Cisco  implementation  of  the  IEEE  MST  standard  includes  features  required  to  meet  the  standard,  as 
well  as  some  of  the  desirable  prestandard  functionality  that  is  not  yet  incorporated  into  the  published 
standard. 
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Port  Role  Naming  Change 

The  boundary  role  is  no  longer  in  the  final  MST  standard,  but  this  boundary  concept  is  maintained  in 
Cisco's  implementation.  However,  an  MST  instance  port  at  a  boundary  of  the  region  might  not  follow 
the  state  of  the  corresponding  CIST  port.  Two  cases  exist  now: 

•  The  boundary  port  is  the  root  port  of  the  CIST  regional  root — When  the  CIST  instance  port  is 
proposed  and  is  in  sync,  it  can  send  back  an  agreement  and  move  to  the  forwarding  state  only  after 
all  the  corresponding  MSTI  ports  are  in  sync  (and  thus  forwarding).  The  MSTI  ports  now  have  a 
special  master  role. 

•  The  boundary  port  is  not  the  root  port  of  the  CIST  regional  root — The  MSTI  ports  follow  the  state 
and  role  of  the  CIST  port.  The  standard  provides  less  information,  and  it  might  be  difficult  to 
understand  why  an  MSTI  port  can  be  alternately  blocking  when  it  receives  no  BPDUs  (MRecords). 
In  this  case,  although  the  boundary  role  no  longer  exists,  the  show  commands  identify  a  port  as 
boundary  in  the  type  column  of  the  output. 


Interoperation  Between  Legacy  and  Standard  Switches 

Because  automatic  detection  of  prestandard  switches  can  fail,  you  can  use  an  interface  configuration 
command  to  identify  prestandard  ports.  A  region  cannot  be  formed  between  a  standard  and  a  prestandard 
switch,  but  they  can  interoperate  by  using  the  CIST.  Only  the  capability  of  load  balancing  over  different 
instances  is  lost  in  that  particular  case.  The  CLI  displays  different  flags  depending  on  the  port 
configuration  when  a  port  receives  prestandard  BPDUs.  A  syslog  message  also  appears  the  first  time  a 
switch  receives  a  prestandard  BPDU  on  a  port  that  has  not  been  configured  for  prestandard  BPDU 
transmission. 

Figure  13-2  illustrates  this  scenario.  Assume  that  A  is  a  standard  switch  and  B  a  prestandard  switch,  both 
configured  to  be  in  the  same  region.  A  is  the  root  switch  for  the  CIST,  and  thus  B  has  a  root  port  (BX) 
on  segment  X  and  an  alternate  port  (BY)  on  segment  Y.  If  segment  Y  flaps,  and  the  port  on  BY  becomes 
the  alternate  before  sending  out  a  single  prestandard  BPDU,  AY  cannot  detect  that  a  prestandard  switch 
is  connected  to  Y  and  continues  to  send  standard  BPDUs.  The  port  BY  is  thus  fixed  in  a  boundary,  and 
no  load  balancing  is  possible  between  A  and  B.  The  same  problem  exists  on  segment  X,  but  B  might 
transmit  topology  changes. 


Figure  13-2        Standard  and  Prestandard  Switch  Interoperation 


Segment  X 


Switch  A 


MST 
Region 


Switch  B 


Segment  Y 


Note      We  recommend  that  you  minimize  the  interaction  between  standard  and  prestandard  MST 
implementations . 
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Detecting  Unidirectional  Link  Failure 

This  feature  is  not  yet  present  in  the  IEEE  MST  standard,  but  it  is  included  in  this  Cisco  IOS  release. 
The  software  checks  the  consistency  of  the  port  role  and  state  in  the  received  BPDUs  to  detect 
unidirectional  link  failures  that  could  cause  bridging  loops. 

When  a  designated  port  detects  a  conflict,  it  keeps  its  role,  but  reverts  to  discarding  state  because 
disrupting  connectivity  in  case  of  inconsistency  is  preferable  to  opening  a  bridging  loop. 

Figure  13-3  illustrates  a  unidirectional  link  failure  that  typically  creates  a  bridging  loop.  Switch  A  is  the 
root  switch,  and  its  BPDUs  are  lost  on  the  link  leading  to  switch  B.  RSTP  and  MST  BPDUs  include  the 
role  and  state  of  the  sending  port.  With  this  information,  switch  A  can  detect  that  switch  B  does  not  react 
to  the  superior  BPDUs  it  sends  and  that  switch  B  is  the  designated,  not  root  switch.  As  a  result,  switch 
A  blocks  (or  keeps  blocking)  its  port,  thus  preventing  the  bridging  loop. 


Figure  13-3 


Detecting  Unidirectional  Link  Failure 


Superior 
BPDU 


Inferior  BPDU, 
Designated  +  Learning  bit  set 


Interoperability  with  IEEE  802.1  D  STP 

A  switch  running  MSTP  supports  a  built-in  protocol  migration  mechanism  that  enables  it  to  interoperate 
with  legacy  IEEE  802.  ID  switches.  If  this  switch  receives  a  legacy  IEEE  802.  ID  configuration  BPDU 
(a  BPDU  with  the  protocol  version  set  to  0),  it  sends  only  IEEE  802.  ID  BPDUs  on  that  port.  An  MSTP 
switch  also  can  detect  that  a  port  is  at  the  boundary  of  a  region  when  it  receives  a  legacy  BPDU,  an 
MSTP  BPDU  (Version  3)  associated  with  a  different  region,  or  an  RSTP  BPDU  (Version  2). 

However,  the  switch  does  not  automatically  revert  to  the  MSTP  mode  if  it  no  longer  receives 
IEEE  802.  ID  BPDUs  because  it  cannot  detect  whether  the  legacy  switch  has  been  removed  from  the  link 
unless  the  legacy  switch  is  the  designated  switch.  A  switch  might  also  continue  to  assign  a  boundary  role 
to  a  port  when  the  switch  to  which  this  switch  is  connected  has  joined  the  region.  To  restart  the  protocol 
migration  process  (force  the  renegotiation  with  neighboring  switches),  use  the  clear  spanning-tree 
detected-protocols  privileged  EXEC  command. 

If  all  the  legacy  switches  on  the  link  are  RSTP  switches,  they  can  process  MSTP  BPDUs  as  if  they  are 
RSTP  BPDUs.  Therefore,  MSTP  switches  send  either  a  Version  0  configuration  and  TCN  BPDUs  or 
Version  3  MSTP  BPDUs  on  a  boundary  port.  A  boundary  port  connects  to  a  LAN,  the  designated  switch 
of  which  is  either  a  single  spanning-tree  switch  or  a  switch  with  a  different  MST  configuration. 


Understanding  RSTP 

The  RSTP  takes  advantage  of  point-to-point  wiring  and  provides  rapid  convergence  of  the  spanning  tree. 
Reconfiguration  of  the  spanning  tree  can  occur  in  less  than  1  second  (in  contrast  to  50  seconds  with  the 
default  settings  in  the  IEEE  802.  ID  spanning  tree). 
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These  sections  describe  how  the  RSTP  works: 

•  Port  Roles  and  the  Active  Topology,  page  13-9 

•  Rapid  Convergence,  page  13-10 

•  Synchronization  of  Port  Roles,  page  13-11 

•  Bridge  Protocol  Data  Unit  Format  and  Processing,  page  13-12 

For  configuration  information,  see  the  "Configuring  MSTP  Features"  section  on  page  13-14. 

Port  Roles  and  the  Active  Topology 

The  RSTP  provides  rapid  convergence  of  the  spanning  tree  by  assigning  port  roles  and  by  learning  the 
active  topology.  The  RSTP  builds  upon  the  IEEE  802.  ID  STP  to  select  the  switch  with  the  highest  switch 
priority  (lowest  numerical  priority  value)  as  the  root  switch  as  described  in  the  "Spanning-Tree 
Topology  and  BPDUs"  section  on  page  12-3.  Then  the  RSTP  assigns  one  of  these  port  roles  to  individual 
ports: 

•  Root  port — Provides  the  best  path  (lowest  cost)  when  the  switch  forwards  packets  to  the  root  switch. 

•  Designated  port — Connects  to  the  designated  switch,  which  incurs  the  lowest  path  cost  when 
forwarding  packets  from  that  LAN  to  the  root  switch.  The  port  through  which  the  designated  switch 
is  attached  to  the  LAN  is  called  the  designated  port. 

•  Alternate  port — Offers  an  alternate  path  toward  the  root  switch  to  that  provided  by  the  current  root 
port. 

•  Backup  port — Acts  as  a  backup  for  the  path  provided  by  a  designated  port  toward  the  leaves  of  the 
spanning  tree.  A  backup  port  can  exist  only  when  two  ports  are  connected  in  a  loopback  by  a 
point-to-point  link  or  when  a  switch  has  two  or  more  connections  to  a  shared  LAN  segment. 

•  Disabled  port — Has  no  role  within  the  operation  of  the  spanning  tree. 

A  port  with  the  root  or  a  designated  port  role  is  included  in  the  active  topology.  A  port  with  the  alternate 
or  backup  port  role  is  excluded  from  the  active  topology. 

In  a  stable  topology  with  consistent  port  roles  throughout  the  network,  the  RSTP  ensures  that  every  root 
port  and  designated  port  immediately  transition  to  the  forwarding  state  while  all  alternate  and  backup 
ports  are  always  in  the  discarding  state  (equivalent  to  blocking  in  IEEE  802.  ID).  The  port  state  controls 
the  operation  of  the  forwarding  and  learning  processes.  Table  13-2  provides  a  comparison  of 
IEEE  802.  ID  and  RSTP  port  states. 


Table  13-2        Port  State  Comparison 


Operational  Status 

STP  Port  State 
(IEEE  802.1  D) 

RSTP  Port  State 

Is  Port  Included  in  the 
Active  Topology? 

Enabled 

Blocking 

Discarding 

No 

Enabled 

Listening 

Discarding 

No 

Enabled 

Learning 

Learning 

Yes 

Enabled 

Forwarding 

Forwarding 

Yes 

Disabled 

Disabled 

Discarding 

No 

To  be  consistent  with  Cisco  STP  implementations,  this  guide  defines  the  port  state  as  blocking  instead 
of  discarding.  Designated  ports  start  in  the  listening  state. 
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Rapid  Convergence 

The  RSTP  provides  for  rapid  recovery  of  connectivity  following  the  failure  of  a  switch,  a  switch  port, 
or  a  LAN.  It  provides  rapid  convergence  for  edge  ports,  new  root  ports,  and  ports  connected  through 
point-to-point  links  as  follows: 

•  Edge  ports — If  you  configure  a  port  as  an  edge  port  on  an  RSTP  switch  by  using  the  spanning-tree 
portfast  interface  configuration  command,  the  edge  port  immediately  transitions  to  the  forwarding 
state.  An  edge  port  is  the  same  as  a  Port  Fast-enabled  port,  and  you  should  enable  it  only  on  ports 
that  connect  to  a  single  end  station. 

•  Root  ports — If  the  RSTP  selects  a  new  root  port,  it  blocks  the  old  root  port  and  immediately 
transitions  the  new  root  port  to  the  forwarding  state. 

•  Point-to-point  links — If  you  connect  a  port  to  another  port  through  a  point-to-point  link  and  the  local 
port  becomes  a  designated  port,  it  negotiates  a  rapid  transition  with  the  other  port  by  using  the 
proposal-agreement  handshake  to  ensure  a  loop-free  topology. 

As  shown  in  Figure  13-4,  Switch  A  is  connected  to  Switch  B  through  a  point-to-point  link,  and  all 
of  the  ports  are  in  the  blocking  state.  Assume  that  the  priority  of  Switch  A  is  a  smaller  numerical 
value  than  the  priority  of  Switch  B.  Switch  A  sends  a  proposal  message  (a  configuration  BPDU  with 
the  proposal  flag  set)  to  Switch  B,  proposing  itself  as  the  designated  switch. 

After  receiving  the  proposal  message,  Switch  B  selects  as  its  new  root  port  the  port  from  which  the 
proposal  message  was  received,  forces  all  nonedge  ports  to  the  blocking  state,  and  sends  an 
agreement  message  (a  BPDU  with  the  agreement  flag  set)  through  its  new  root  port. 

After  receiving  Switch  B's  agreement  message,  Switch  A  also  immediately  transitions  its 
designated  port  to  the  forwarding  state.  No  loops  in  the  network  are  formed  because  Switch  B 
blocked  all  of  its  nonedge  ports  and  because  there  is  a  point-to-point  link  between  Switches  A  and  B. 

When  Switch  C  is  connected  to  Switch  B,  a  similar  set  of  handshaking  messages  are  exchanged. 
Switch  C  selects  the  port  connected  to  Switch  B  as  its  root  port,  and  both  ends  immediately 
transition  to  the  forwarding  state.  With  each  iteration  of  this  handshaking  process,  one  more  switch 
joins  the  active  topology.  As  the  network  converges,  this  proposal-agreement  handshaking 
progresses  from  the  root  toward  the  leaves  of  the  spanning  tree. 

The  switch  learns  the  link  type  from  the  port  duplex  mode:  a  full-duplex  port  is  considered  to  have 
a  point-to-point  connection;  a  half-duplex  port  is  considered  to  have  a  shared  connection.  You  can 
override  the  default  setting  that  is  controlled  by  the  duplex  setting  by  using  the  spanning-tree 
link-type  interface  configuration  command. 
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Figure  13-4        Proposal  and  Agreement  Handshaking  for  Rapid  Convergence 
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RP  =  root  port 
F  =  forwarding 


Synchronization  of  Port  Roles 


When  the  switch  receives  a  proposal  message  on  one  of  its  ports  and  that  port  is  selected  as  the  new  root 
port,  the  RSTP  forces  all  other  ports  to  synchronize  with  the  new  root  information. 

The  switch  is  synchronized  with  superior  root  information  received  on  the  root  port  if  all  other  ports  are 
synchronized.  An  individual  port  on  the  switch  is  synchronized  if 

•  That  port  is  in  the  blocking  state. 

•  It  is  an  edge  port  (a  port  configured  to  be  at  the  edge  of  the  network). 

If  a  designated  port  is  in  the  forwarding  state  and  is  not  configured  as  an  edge  port,  it  transitions  to  the 
blocking  state  when  the  RSTP  forces  it  to  synchronize  with  new  root  information.  In  general,  when  the 
RSTP  forces  a  port  to  synchronize  with  root  information  and  the  port  does  not  satisfy  any  of  the  above 
conditions,  its  port  state  is  set  to  blocking. 
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After  ensuring  that  all  of  the  ports  are  synchronized,  the  switch  sends  an  agreement  message  to  the 
designated  switch  corresponding  to  its  root  port.  When  the  switches  connected  by  a  point-to-point  link 
are  in  agreement  about  their  port  roles,  the  RSTP  immediately  transitions  the  port  states  to  forwarding. 
The  sequence  of  events  is  shown  in  Figure  13-5. 


Figure  13-5        Sequence  of  Events  During  Rapid  Convergence 


4.  Agreement 


5.  Forward 


1 .  Proposal 
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Bridge  Protocol  Data  Unit  Format  and  Processing 

The  RSTP  BPDU  format  is  the  same  as  the  IEEE  802. ID  BPDU  format  except  that  the  protocol  version 
is  set  to  2.  A  new  1-byte  Version  1  Length  field  is  set  to  zero,  which  means  that  no  version  1  protocol 
information  is  present.  Table  13-3  shows  the  RSTP  flag  fields. 

Table  13-3         RSTP  BPDU  Flags 


Bit 

Function 

0 

Topology  change  (TC) 

1 

Proposal 

2-3: 

Port  role: 

00 

Unknown 

01 

Alternate  port 

10 

Root  port 

11 

Designated  port 

4 

Learning 

5 

Forwarding 

6 

Agreement 

7 

Topology  change  acknowledgement  (TCA) 
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The  sending  switch  sets  the  proposal  flag  in  the  RSTP  BPDU  to  propose  itself  as  the  designated  switch 
on  that  LAN.  The  port  role  in  the  proposal  message  is  always  set  to  the  designated  port. 

The  sending  switch  sets  the  agreement  flag  in  the  RSTP  BPDU  to  accept  the  previous  proposal.  The  port 
role  in  the  agreement  message  is  always  set  to  the  root  port. 

The  RSTP  does  not  have  a  separate  topology  change  notification  (TCN)  BPDU.  It  uses  the  topology 
change  (TC)  flag  to  show  the  topology  changes.  However,  for  interoperability  with  IEEE  802.  ID 
switches,  the  RSTP  switch  processes  and  generates  TCN  BPDUs. 

The  learning  and  forwarding  flags  are  set  according  to  the  state  of  the  sending  port. 

Processing  Superior  BPDU  Information 

If  a  port  receives  superior  root  information  (lower  switch  ID,  lower  path  cost,  and  so  forth)  than  currently 
stored  for  the  port,  the  RSTP  triggers  a  reconfiguration.  If  the  port  is  proposed  and  is  selected  as  the  new 
root  port,  RSTP  forces  all  the  other  ports  to  synchronize. 

If  the  BPDU  received  is  an  RSTP  BPDU  with  the  proposal  flag  set,  the  switch  sends  an  agreement 
message  after  all  of  the  other  ports  are  synchronized.  If  the  BPDU  is  an  IEEE  802.  ID  BPDU,  the  switch 
does  not  set  the  proposal  flag  and  starts  the  forward-delay  timer  for  the  port.  The  new  root  port  requires 
twice  the  forward-delay  time  to  transition  to  the  forwarding  state. 

If  the  superior  information  received  on  the  port  causes  the  port  to  become  a  backup  or  alternate  port, 
RSTP  sets  the  port  to  the  blocking  state  but  does  not  send  the  agreement  message.  The  designated  port 
continues  sending  BPDUs  with  the  proposal  flag  set  until  the  forward-delay  timer  expires,  at  which  time 
the  port  transitions  to  the  forwarding  state. 

Processing  Inferior  BPDU  Information 

If  a  designated  port  receives  an  inferior  BPDU  (higher  switch  ID,  higher  path  cost,  and  so  forth  than 
currently  stored  for  the  port)  with  a  designated  port  role,  it  immediately  replies  with  its  own  information. 

Topology  Changes 

This  section  describes  the  differences  between  the  RSTP  and  the  IEEE  802. ID  in  handling  spanning-tree 
topology  changes. 

•  Detection — Unlike  IEEE  802.  ID  in  which  any  transition  between  the  blocking  and  the  forwarding 
state  causes  a  topology  change,  only  transitions  from  the  blocking  to  the  forwarding  state  cause  a 
topology  change  with  RSTP  (only  an  increase  in  connectivity  is  considered  a  topology  change). 
State  changes  on  an  edge  port  do  not  cause  a  topology  change.  When  an  RSTP  switch  detects  a 
topology  change,  it  deletes  the  learned  information  on  all  of  its  nonedge  ports  except  on  those  from 
which  it  received  the  TC  notification. 

•  Notification— Unlike  IEEE  802.  ID,  which  uses  TCN  BPDUs,  the  RSTP  does  not  use  them. 
However,  for  IEEE  802. ID  interoperability,  an  RSTP  switch  processes  and  generates  TCN  BPDUs. 

•  Acknowledgement — When  an  RSTP  switch  receives  a  TCN  message  on  a  designated  port  from  an 
IEEE  802.  ID  switch,  it  replies  with  an  IEEE  802.  ID  configuration  BPDU  with  the  TCA  bit  set. 
However,  if  the  TC-while  timer  (the  same  as  the  topology-change  timer  in  IEEE  802.  ID)  is  active 
on  a  root  port  connected  to  an  IEEE  802.  ID  switch  and  a  configuration  BPDU  with  the  TCA  bit  set 
is  received,  the  TC-while  timer  is  reset. 

This  behavior  is  only  required  to  support  IEEE  802. ID  switches.  The  RSTP  BPDUs  never  have  the 
TCA  bit  set. 
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•  Propagation — When  an  RSTP  switch  receives  a  TC  message  from  another  switch  through  a 
designated  or  root  port,  it  propagates  the  change  to  all  of  its  nonedge,  designated  ports  and  to  the 
root  port  (excluding  the  port  on  which  it  is  received).  The  switch  starts  the  TC-while  timer  for  all 
such  ports  and  flushes  the  information  learned  on  them. 

•  Protocol  migration — For  backward  compatibility  with  IEEE  802.  ID  switches,  RSTP  selectively 
sends  IEEE  802.  ID  configuration  BPDUs  and  TCN  BPDUs  on  a  per-port  basis. 

When  a  port  is  initialized,  the  migrate-delay  timer  is  started  (specifies  the  minimum  time  during 
which  RSTP  BPDUs  are  sent),  and  RSTP  BPDUs  are  sent.  While  this  timer  is  active,  the  switch 
processes  all  BPDUs  received  on  that  port  and  ignores  the  protocol  type. 

If  the  switch  receives  an  IEEE  802.  ID  BPDU  after  the  port  migration-delay  timer  has  expired,  it 
assumes  that  it  is  connected  to  an  IEEE  802. ID  switch  and  starts  using  only  IEEE  802.  ID  BPDUs. 
However,  if  the  RSTP  switch  is  using  IEEE  802.1D  BPDUs  on  a  port  and  receives  an  RSTP  BPDU 
after  the  timer  has  expired,  it  restarts  the  timer  and  starts  using  RSTP  BPDUs  on  that  port. 


Configuring  MSTP  Features 

These  sections  contain  this  configuration  information: 

•  Default  MSTP  Configuration,  page  13-14 

•  MSTP  Configuration  Guidelines,  page  13-15 

•  Specifying  the  MST  Region  Configuration  and  Enabling  MSTP,  page  13-16  (required) 

•  Configuring  the  Root  Switch,  page  13-17  (optional) 

•  Configuring  a  Secondary  Root  Switch,  page  13-18  (optional) 

•  Configuring  Port  Priority,  page  13-19  (optional) 

•  Configuring  Path  Cost,  page  13-20  (optional) 

•  Configuring  the  Switch  Priority,  page  13-21  (optional) 

•  Configuring  the  Hello  Time,  page  13-22  (optional) 

•  Configuring  the  Forwarding-Delay  Time,  page  13-23  (optional) 

•  Configuring  the  Maximum- Aging  Time,  page  13-23  (optional) 

•  Configuring  the  Maximum-Hop  Count,  page  13-24  (optional) 

•  Specifying  the  Link  Type  to  Ensure  Rapid  Transitions,  page  13-24  (optional) 

•  Designating  the  Neighbor  Type,  page  13-25  (optional) 

•  Restarting  the  Protocol  Migration  Process,  page  13-25  (optional) 


Default  MSTP  Configuration 

Table  13-4  shows  the  default  MSTP  configuration. 

Table  13-4         Default  MSTP  Configuration 

Feature 

Default  Setting 

Spanning-tree  mode 

PVST+  (Rapid  PVST+  and  MSTP  are  disabled). 

Switch  priority  (configurable  on  a  per-CIST  port  basis) 

32768. 
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Table  13-4  Default  MSTP  Configuration  (continued) 


Feature 

Default  Setting 

Spanning-tree  port  priority  (configurable  on  a  per-CIST  port  basis) 

128. 

Spanning-tree  port  cost  (configurable  on  a  per-CIST  port  basis) 

1000  Mb/s:  4. 
100  Mb/s:  19. 
10  Mb/s:  100. 

Hello  time 

2  seconds. 

Forward-delay  time 

15  seconds. 

Maximum-aging  time 

20  seconds. 

Maximum  hop  count 

20  hops. 

For  information  about  the  supported  number  of  spanning-tree  instances,  see  the  "Supported 
Spanning-Tree  Instances"  section  on  page  12-9. 


MSTP  Configuration  Guidelines 

These  are  the  configuration  guidelines  for  MSTP: 

•  When  you  enable  MST  by  using  the  spanning-tree  mode  mst  global  configuration  command,  RSTP 
is  automatically  enabled. 

•  For  two  or  more  switches  to  be  in  the  same  MST  region,  they  must  have  the  same  VLAN-to-instance 
map,  the  same  configuration  revision  number,  and  the  same  name. 

•  The  switch  supports  up  to  65  MST  instances.  The  number  of  VLANs  that  can  be  mapped  to  a 
particular  MST  instance  is  unlimited. 

•  PVST+,  rapid  PVST+,  and  MSTP  are  supported,  but  only  one  version  can  be  active  at  any  time.  (For 
example,  all  VLANs  run  PVST+,  all  VLANs  run  rapid  PVST+,  or  all  VLANs  run  MSTP.)  For  more 
information,  see  the  "Spanning-Tree  Interoperability  and  Backward  Compatibility"  section  on 
page  12-10.  For  information  on  the  recommended  trunk  port  configuration,  see  the  "Interaction  with 
Other  Features"  section  on  page  9-18. 

•  VTP  propagation  of  the  MST  configuration  is  not  supported.  However,  you  can  manually  configure 
the  MST  configuration  (region  name,  revision  number,  and  VLAN-to-instance  mapping)  on  each 
switch  within  the  MST  region  by  using  the  command-line  interface  (CLI)  or  through  the  SNMP 
support. 

•  For  load  balancing  across  redundant  paths  in  the  network  to  work,  all  VLAN-to-instance  mapping 
assignments  must  match;  otherwise,  all  traffic  flows  on  a  single  link. 

•  All  MST  boundary  ports  must  be  forwarding  for  load  balancing  between  a  PVST+  and  an  MST 
cloud  or  between  a  rapid-PVST+  and  an  MST  cloud.  For  this  to  occur,  the  1ST  master  of  the  MST 
cloud  should  also  be  the  root  of  the  CST  If  the  MST  cloud  consists  of  multiple  MST  regions,  one 
of  the  MST  regions  must  contain  the  CST  root,  and  all  of  the  other  MST  regions  must  have  a  better 
path  to  the  root  contained  within  the  MST  cloud  than  a  path  through  the  PVST+  or  rapid-PVST+ 
cloud.  You  might  have  to  manually  configure  the  switches  in  the  clouds. 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


13-15 


H Configuring  MSTP  Features 


Chapter  13     Configuring  MSTP  | 


•  Partitioning  the  network  into  a  large  number  of  regions  is  not  recommended.  However,  if  this 
situation  is  unavoidable,  we  recommend  that  you  partition  the  switched  LAN  into  smaller  LANs 
interconnected  by  routers  or  non-Layer  2  devices. 

•  For  configuration  guidelines  about ,  see  the  "Optional  Spanning-Tree  Configuration  Guidelines" 
section  on  page  14-10. 


Specifying  the  MST  Region  Configuration  and  Enabling  MSTP 

For  two  or  more  switches  to  be  in  the  same  MST  region,  they  must  have  the  same  VLAN-to-instance 
mapping,  the  same  configuration  revision  number,  and  the  same  name. 

A  region  can  have  one  member  or  multiple  members  with  the  same  MST  configuration;  each  member 
must  be  capable  of  processing  RSTP  BPDUs.  There  is  no  limit  to  the  number  of  MST  regions  in  a 
network,  but  each  region  can  only  support  up  to  65  spanning-tree  instances.  You  can  assign  a  VLAN  to 
only  one  spanning-tree  instance  at  a  time. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  specify  the  MST  region  configuration  and 
enable  MSTP.  This  procedure  is  required. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

spanning-tree  mst  configuration 

Enter  MST  configuration  mode. 

Step  3 

instance  instance-id  vlan  vlan-range 

Map  VLANs  to  an  MST  instance. 

•  For  instance-id,  the  range  is  0  to  4094. 

•  For  vlan  vlan-range,  the  range  is  1  to  4094. 


When  you  map  VLANs  to  an  MST  instance,  the  mapping  is 
incremental,  and  the  VLANs  specified  in  the  command  are  added  to 
or  removed  from  the  VLANs  that  were  previously  mapped. 

To  specify  a  VLAN  range,  use  a  hyphen;  for  example,  instance  1  vlan 
1-63  maps  VLANs  1  through  63  to  MST  instance  1. 

To  specify  a  VLAN  series,  use  a  comma;  for  example,  instance  1  vlan 
10,  20,  30  maps  VLANs  10,  20,  and  30  to  MST  instance  1. 


Step  4 

name  name 

Specify  the  configuration  name.  The  name  string  has  a  maximum  length 
of  32  characters  and  is  case  sensitive. 

Step  5 

revision  version 

Specify  the  configuration  revision  number.  The  range  is  0  to  65535. 

Step  6 

show  pending 

Verify  your  configuration  by  displaying  the  pending  configuration. 

Step  7 

exit 

Apply  all  changes,  and  return  to  global  configuration  mode. 

Step  8 

spanning-tree  mode  mst 

Enable  MSTP  RSTP  is  also  enabled. 

A 

Caution  Changing  spanning-tree  modes  can  disrupt  traffic  because  all 
spanning-tree  instances  are  stopped  for  the  previous  mode  and 
restarted  in  the  new  mode. 


You  cannot  run  both  MSTP  and  PVST+  or  both  MSTP  and  rapid  PVST+ 
at  the  same  time. 
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Command 

Purpose 

Step  9 

end 

Return  to  privileged  EXEC  mode. 

Step  10 

show  running-config 

Verify  your  entries. 

Step  11 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  MST  region  configuration,  use  the  no  spanning-tree  mst  configuration  global 
configuration  command.  To  return  to  the  default  VLAN-to-instance  map,  use  the  no  instance 
instance-id  [vlan  vlan-range]  MST  configuration  command.  To  return  to  the  default  name,  use  the  no 
name  MST  configuration  command.  To  return  to  the  default  revision  number,  use  the  no  revision  MST 
configuration  command.  To  re-enable  PVST+,  use  the  no  spanning-tree  mode  or  the  spanning-tree 
mode  pvst  global  configuration  command. 

This  example  shows  how  to  enter  MST  configuration  mode,  map  VLANs  10  to  20  to  MST  instance  1, 
name  the  region  regionl,  set  the  configuration  revision  to  1,  display  the  pending  configuration,  apply 
the  changes,  and  return  to  global  configuration  mode: 

Switch ( config) #  spanning-tree  mst  configuration 

Switch ( config-mst ) #  instance  1  vlan  10-20 
Switch ( config-mst ) #  name  regionl 
Switch ( config-mst ) #  revision  1 
Switch ( config-mst ) #  show  pending 

Pending  MST  configuration 
Name  [regionl] 
Revision  1 

Instance     Vlans  Mapped 


0  1-9,21-4094 

1  10-20 


Switch (config-mst) #  exit 
Switch (config) # 


Configuring  the  Root  Switch 

The  switch  maintains  a  spanning-tree  instance  for  the  group  of  VLANs  mapped  to  it.  A  switch  ID, 
consisting  of  the  switch  priority  and  the  switch  MAC  address,  is  associated  with  each  instance.  For  a 
group  of  VLANs,  the  switch  with  the  lowest  switch  ID  becomes  the  root  switch. 

To  configure  a  switch  to  become  the  root,  use  the  spanning-tree  mst  instance-id  root  global 
configuration  command  to  modify  the  switch  priority  from  the  default  value  (32768)  to  a  significantly 
lower  value  so  that  the  switch  becomes  the  root  switch  for  the  specified  spanning-tree  instance.  When 
you  enter  this  command,  the  switch  checks  the  switch  priorities  of  the  root  switches.  Because  of  the 
extended  system  ID  support,  the  switch  sets  its  own  priority  for  the  specified  instance  to  24576  if  this 
value  will  cause  this  switch  to  become  the  root  for  the  specified  spanning-tree  instance. 

If  any  root  switch  for  the  specified  instance  has  a  switch  priority  lower  than  24576,  the  switch  sets  its 
own  priority  to  4096  less  than  the  lowest  switch  priority.  (4096  is  the  value  of  the  least-significant  bit 
of  a  4-bit  switch  priority  value  as  shown  in  Table  12-1  on  page  12-4.) 

If  your  network  consists  of  switches  that  both  do  and  do  not  support  the  extended  system  ID,  it  is 
unlikely  that  the  switch  with  the  extended  system  ID  support  will  become  the  root  switch.  The  extended 
system  ID  increases  the  switch  priority  value  every  time  the  VLAN  number  is  greater  than  the  priority 
of  the  connected  switches  running  older  software. 
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The  root  switch  for  each  spanning-tree  instance  should  be  a  backbone  or  distribution  switch.  Do  not 
configure  an  access  switch  as  the  spanning-tree  primary  root. 

Use  the  diameter  keyword,  which  is  available  only  for  MST  instance  0,  to  specify  the  Layer  2  network 
diameter  (that  is,  the  maximum  number  of  switch  hops  between  any  two  end  stations  in  the  Layer  2 
network).  When  you  specify  the  network  diameter,  the  switch  automatically  sets  an  optimal  hello  time, 
forward-delay  time,  and  maximum-age  time  for  a  network  of  that  diameter,  which  can  significantly 
reduce  the  convergence  time.  You  can  use  the  hello  keyword  to  override  the  automatically  calculated 
hello  time. 


Note      After  configuring  the  switch  as  the  root  switch,  we  recommend  that  you  avoid  manually  configuring  the 
hello  time,  forward-delay  time,  and  maximum-age  time  through  the  spanning-tree  mst  hello-time, 
spanning-tree  mst  forward-time,  and  the  spanning-tree  mst  max-age  global  configuration 
commands. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  switch  as  the  root  switch.  This 
procedure  is  optional. 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  mst  instance-id  root  primary 
[diameter  net-diameter  [hello-time  seconds]] 

Configure  a  switch  as  the  root  switch. 

•  For  instance-id,  you  can  specify  a  single  instance,  a  range 
of  instances  separated  by  a  hyphen,  or  a  series  of  instances 
separated  by  a  comma.  The  range  is  0  to  4094. 

•  (Optional)  For  diameter  net-diameter,  specify  the 
maximum  number  of  switches  between  any  two  end 
stations.  The  range  is  2  to  7.  This  keyword  is  available 
only  for  MST  instance  0. 

•  (Optional)  For  hello-time  seconds,  specify  the  interval  in 
seconds  between  the  generation  of  configuration  messages 
by  the  root  switch.  The  range  is  1  to  10  seconds;  the 
default  is  2  seconds. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  mst  instance-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  the  switch  to  its  default  setting,  use  the  no  spanning-tree  mst  instance-id  root  global 
configuration  command. 


Configuring  a  Secondary  Root  Switch 

When  you  configure  a  switch  with  the  extended  system  ID  support  as  the  secondary  root,  the  switch 
priority  is  modified  from  the  default  value  (32768)  to  28672.  The  switch  is  then  likely  to  become  the 
root  switch  for  the  specified  instance  if  the  primary  root  switch  fails.  This  is  assuming  that  the  other 
network  switches  use  the  default  switch  priority  of  32768  and  therefore  are  unlikely  to  become  the  root 
switch. 
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You  can  execute  this  command  on  more  than  one  switch  to  configure  multiple  backup  root  switches.  Use 
the  same  network  diameter  and  hello-time  values  that  you  used  when  you  configured  the  primary  root 
switch  with  the  spanning-tree  mst  instance-id  root  primary  global  configuration  command. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  switch  as  the  secondary  root 
switch.  This  procedure  is  optional. 


Command 


Purpose 


Step  1 
Step  2 


configure  terminal 


Enter  global  configuration  mode. 


spanning-tree  mst  instance-id  root 
secondary  [diameter  net-diameter 
[hello-time  seconds]] 


Configure  a  switch  as  the  secondary  root  switch. 

•  For  instance-id,  you  can  specify  a  single  instance,  a  range  of 
instances  separated  by  a  hyphen,  or  a  series  of  instances 
separated  by  a  comma.  The  range  is  0  to  4094. 

•  (Optional)  For  diameter  net-diameter,  specify  the  maximum 
number  of  switches  between  any  two  end  stations.  The  range  is  2 
to  7.  This  keyword  is  available  only  for  MST  instance  0. 

•  (Optional)  For  hello-time  seconds,  specify  the  interval  in 
seconds  between  the  generation  of  configuration  messages  by 
the  root  switch.  The  range  is  1  to  10  seconds;  the  default 

is  2  seconds. 

Use  the  same  network  diameter  and  hello-time  values  that  you  used 
when  configuring  the  primary  root  switch.  See  the  "Configuring  the 
Root  Switch"  section  on  page  13-17. 


Step  3 
Step  4 
Step  5 


end 

show  spanning-tree  mst  instance-id 


Return  to  privileged  EXEC  mode. 
Verify  your  entries. 


copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


To  return  the  switch  to  its  default  setting,  use  the  no  spanning-tree  mst  instance-id  root  global 
configuration  command. 


Configuring  Port  Priority 

If  a  loop  occurs,  the  MSTP  uses  the  port  priority  when  selecting  an  interface  to  put  into  the  forwarding 
state.  You  can  assign  higher  priority  values  (lower  numerical  values)  to  interfaces  that  you  want  selected 
first  and  lower  priority  values  (higher  numerical  values)  that  you  want  selected  last.  If  all  interfaces  have 
the  same  priority  value,  the  MSTP  puts  the  interface  with  the  lowest  interface  number  in  the  forwarding 
state  and  blocks  the  other  interfaces. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  MSTP  port  priority  of  an 
interface.  This  procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  an  interface  to  configure,  and  enter  interface 
configuration  mode. 

Valid  interfaces  include  physical  ports  and  port-channel 
logical  interfaces.  The  port-channel  range  is  1  to  48. 

spanning-tree  mst  instance-id  port-priority  priority 

Configure  the  port  priority. 

•  For  instance-id,  you  can  specify  a  single  instance,  a 
range  of  instances  separated  by  a  hyphen,  or  a  series  of 
instances  separated  by  a  comma.  The  range  is  0  to 
4094. 

•  For  priority,  the  range  is  0  to  240  in  increments  of  16. 
The  default  is  128.  The  lower  the  number,  the  higher 
the  priority. 

The  priority  values  are  0,  16,  32,  48,  64,  80,  96,  1 12, 
128,  144,  160,  176,  192,  208,  224,  and  240.  All  other 
values  are  rejected. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  mst  interface  interface-id 
or 

show  spanning-tree  mst  instance-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


Step  4 
Step  5 


Note      The  show  spanning-tree  mst  interface  interface-id  privileged  EXEC  command  displays  information 
only  if  the  port  is  in  a  link-up  operative  state.  Otherwise,  you  can  use  the  show  running-config  interface 
privileged  EXEC  command  to  confirm  the  configuration. 


To  return  the  interface  to  its  default  setting,  use  the  no  spanning-tree  mst  instance-id  port-priority 

interface  configuration  command. 


Configuring  Path  Cost 

The  MSTP  path  cost  default  value  is  derived  from  the  media  speed  of  an  interface.  If  a  loop  occurs,  the 
MSTP  uses  cost  when  selecting  an  interface  to  put  in  the  forwarding  state.  You  can  assign  lower  cost 
values  to  interfaces  that  you  want  selected  first  and  higher  cost  values  that  you  want  selected  last.  If  all 
interfaces  have  the  same  cost  value,  the  MSTP  puts  the  interface  with  the  lowest  interface  number  in  the 
forwarding  state  and  blocks  the  other  interfaces. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  MSTP  cost  of  an  interface.  This 
procedure  is  optional. 


Step  2 


Step  3 


Step  4 
Step  5 


Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  an  interface  to  configure,  and  enter  interface 
configuration  mode.  Valid  interfaces  include  physical  ports  and 
port-channel  logical  interfaces.  The  port-channel  range  is  1  to  48. 

spanning-tree  mst  instance-id  cost  cost 

Configure  the  cost. 

If  a  loop  occurs,  the  MSTP  uses  the  path  cost  when  selecting  an 
interface  to  place  into  the  forwarding  state.  A  lower  path  cost 
represents  higher-speed  transmission. 

•  For  instance-id,  you  can  specify  a  single  instance,  a  range  of 
instances  separated  by  a  hyphen,  or  a  series  of  instances 
spnarated  bv  a  comma  The  rantrp  is  0  to  40Q4 

•  For  cost,  the  range  is  1  to  200000000;  the  default  value  is 
derived  from  the  media  speed  of  the  interface. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  mst  interface  interface-id 
or 

show  spanning-tree  mst  instance-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Note 


The  show  spanning-tree  mst  interface  interface-id  privileged  EXEC  command  displays  information 
only  for  ports  that  are  in  a  link-up  operative  state.  Otherwise,  you  can  use  the  show  running-config 
privileged  EXEC  command  to  confirm  the  configuration. 

To  return  the  interface  to  its  default  setting,  use  the  no  spanning-tree  mst  instance-id  cost  interface 
configuration  command. 


Configuring  the  Switch  Priority 

You  can  configure  the  switch  priority  and  make  it  more  likely  that  will  be  chosen  as  the  root  switch. 


Note 


Exercise  care  when  using  this  command.  For  most  situations,  we  recommend  that  you  use  the 
spanning-tree  mst  instance-id  root  primary  and  the  spanning-tree  mst  instance-id  root  secondary 

global  configuration  commands  to  modify  the  switch  priority. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  priority.  This  procedure 
is  optional. 


Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  mst  instance-id  priority  priority 

Configure  the  switch  priority. 

•  For  instance-id,  you  can  specify  a  single  instance,  a 
range  of  instances  separated  by  a  hyphen,  or  a  series  of 
instances  separated  by  a  comma.  The  range  is  0  to  4094. 

•  For  priority,  the  range  is  0  to  61440  in  increments  of 
4096;  the  default  is  32768.  The  lower  the  number,  the 
more  likely  the  switch  will  be  chosen  as  the  root  switch. 

Priority  values  are  0,  4096,  8192,  12288,  16384,  20480, 
24576,  28672,  32768,  36864,  40960,  45056,  49152, 
53248,  57344,  and  61440.  All  other  values  are  rejected. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  mst  instance-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  the  switch  to  its  default  setting,  use  the  no  spanning-tree  mst  instance-id  priority  global 
configuration  command. 


Configuring  the  Hello  Time 

You  can  configure  the  interval  between  the  generation  of  configuration  messages  by  the  root  switch  by 
changing  the  hello  time. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  hello  time  for  all  MST 
instances.  This  procedure  is  optional. 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  mst  hello-time  seconds 

Configure  the  hello  time  for  all  MST  instances.  The  hello  time 
is  the  interval  between  the  generation  of  configuration 
messages  by  the  root  switch.  These  messages  mean  that  the 
switch  is  alive. 

For  seconds,  the  range  is  1  to  10;  the  default  is  2. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  mst 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  the  switch  to  its  default  setting,  use  the  no  spanning-tree  mst  hello-time  global  configuration 
command. 


13-22 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  13    Configuring  MSTP 


Configuring  MSTP  Features  H 


Configuring  the  Forwarding-Delay  Time 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  forwarding-delay  time  for  all 
MST  instances.  This  procedure  is  optional. 


Step  1 
Step  2 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  mst  forward-time  seconds 

Configure  the  forward  time  for  all  MST  instances.  The  forward 
delay  is  the  number  of  seconds  a  port  waits  before  changing  from 
its  spanning-tree  learning  and  listening  states  to  the  forwarding 
state. 

For  seconds,  the  range  is  4  to  30;  the  default  is  15. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  mst 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  3 
Step  4 
Step  5 


To  return  the  switch  to  its  default  setting,  use  the  no  spanning-tree  mst  forward-time  global 
configuration  command. 


Configuring  the  Maximum-Aging  Time 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  maximum-aging  time  for  all 
MST  instances.  This  procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  mst  max-age  seconds 

Configure  the  maximum-aging  time  for  all  MST  instances.  The 
maximum-aging  time  is  the  number  of  seconds  a  switch  waits 
without  receiving  spanning-tree  configuration  messages  before 
attempting  a  reconfiguration. 

For  seconds,  the  range  is  6  to  40;  the  default  is  20. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  mst 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


To  return  the  switch  to  its  default  setting,  use  the  no  spanning-tree  mst  max-age  global  configuration 
command. 
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Configuring  the  Maximum-Hop  Count 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  maximum-hop  count  for  all 
MST  instances.  This  procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  mst  max-hops  hop-count 

Specify  the  number  of  hops  in  a  region  before  the  BPDU  is 
discarded,  and  the  information  held  for  a  port  is  aged. 

For  hop-count,  the  range  is  1  to  255;  the  default  is  20. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  mst 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


To  return  the  switch  to  its  default  setting,  use  the  no  spanning-tree  mst  max-hops  global  configuration 
command. 


Specifying  the  Link  Type  to  Ensure  Rapid  Transitions 


If  you  connect  a  port  to  another  port  through  a  point-to-point  link  and  the  local  port  becomes  a 
designated  port,  the  RSTP  negotiates  a  rapid  transition  with  the  other  port  by  using  the 
proposal-agreement  handshake  to  ensure  a  loop-free  topology  as  described  in  the  "Rapid  Convergence" 
section  on  page  13-10. 

By  default,  the  link  type  is  controlled  from  the  duplex  mode  of  the  interface:  a  full-duplex  port  is 
considered  to  have  a  point-to-point  connection;  a  half-duplex  port  is  considered  to  have  a  shared 
connection.  If  you  have  a  half-duplex  link  physically  connected  point-to-point  to  a  single  port  on  a 
remote  switch  running  MSTP,  you  can  override  the  default  setting  of  the  link  type  and  enable  rapid 
transitions  to  the  forwarding  state. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  override  the  default  link-type  setting.  This 
procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  an  interface  to  configure,  and  enter  interface 
configuration  mode.  Valid  interfaces  include  physical  ports, 
VLANs,  and  port-channel  logical  interfaces.  The  VLAN  ID 
range  is  1  to  4094.  The  port-channel  range  is  1  to  48. 

spanning-tree  link-type  point-to-point 

Specify  that  the  link  type  of  a  port  is  point-to-point. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  mst  interface  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


Step  3 
Step  4 
Step  5 
Step  6 


To  return  the  port  to  its  default  setting,  use  the  no  spanning-tree  link-type  interface  configuration 
command. 
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Designating  the  Neighbor  Type 

A  topology  could  contain  both  prestandard  and  IEEE  802.1s  standard  compliant  devices.  By  default, 
ports  can  automatically  detect  prestandard  devices,  but  they  can  still  receive  both  standard  and 
prestandard  BPDUs.  When  there  is  a  mismatch  between  a  device  and  its  neighbor,  only  the  CIST  runs 
on  the  interface. 

You  can  choose  to  set  a  port  to  send  only  prestandard  BPDUs.  The  prestandard  flag  appears  in  all  the 
show  commands,  even  if  the  port  is  in  STP  compatibility  mode. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  override  the  default  link-type  setting.  This 
procedure  is  optional. 


Command 
Step  1      configure  terminal 
Step  2     interface  interface-id 


Step  3  spanning-tree  mst  pre-standard 

Step  4  end 

Step  5  show  spanning-tree  mst  interface  interface- id 

Step  6  copy  running-config  startup-config 


Purpose 

Enter  global  configuration  mode. 

Specify  an  interface  to  configure,  and  enter  interface 
configuration  mode.  Valid  interfaces  include  physical  ports. 

Specify  that  the  port  can  send  only  prestandard  BPDUs. 

Return  to  privileged  EXEC  mode. 

Verify  your  entries. 

(Optional)  Save  your  entries  in  the  configuration  file. 


To  return  the  port  to  its  default  setting,  use  the  no  spanning-tree  mst  prestandard  interface 
configuration  command. 


Restarting  the  Protocol  Migration  Process 

A  switch  running  MSTP  supports  a  built-in  protocol  migration  mechanism  that  enables  it  to  interoperate 
with  legacy  IEEE  802.  ID  switches.  If  this  switch  receives  a  legacy  IEEE  802.  ID  configuration  BPDU 
(a  BPDU  with  the  protocol  version  set  to  0),  it  sends  only  IEEE  802. ID  BPDUs  on  that  port.  An  MSTP 
switch  also  can  detect  that  a  port  is  at  the  boundary  of  a  region  when  it  receives  a  legacy  BPDU,  an  MST 
BPDU  (Version  3)  associated  with  a  different  region,  or  an  RST  BPDU  (Version  2). 

However,  the  switch  does  not  automatically  revert  to  the  MSTP  mode  if  it  no  longer  receives 
IEEE  802.  ID  BPDUs  because  it  cannot  detect  whether  the  legacy  switch  has  been  removed  from  the  link 
unless  the  legacy  switch  is  the  designated  switch.  A  switch  also  might  continue  to  assign  a  boundary  role 
to  a  port  when  the  switch  to  which  it  is  connected  has  joined  the  region. 

To  restart  the  protocol  migration  process  (force  the  renegotiation  with  neighboring  switches)  on  the 
switch,  use  the  clear  spanning-tree  detected-protocols  privileged  EXEC  command. 

To  restart  the  protocol  migration  process  on  a  specific  interface,  use  the  clear  spanning-tree 
detected-protocols  interface  interface-id  privileged  EXEC  command. 
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Displaying  the  MST  Configuration  and  Status 


To  display  the  spanning-tree  status,  use  one  or  more  of  the  privileged  EXEC  commands  in  Table  13-5: 
Table  13-5  Commands  for  Displaying  MST  Status 


Command 

Purpose 

show  spanning-tree  mst  configuration 

Displays  the  MST  region  configuration. 

show  spanning-tree  mst  configuration  digest 

Displays  the  MD5  digest  included  in  the  current  MSTCI. 

show  spanning-tree  mst  instance-id 

Displays  MST  information  for  the  specified  instance. 

show  spanning-tree  mst  interface  interface-id 

Displays  MST  information  for  the  specified  interface. 

For  information  about  other  keywords  for  the  show  spanning-tree  privileged  EXEC  command,  see  the 
command  reference  for  this  release. 
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Configuring  Optional  Spanning-Tree  Features 


This  chapter  describes  how  to  configure  optional  spanning-tree  features  on  the  switch.  You  can 
configure  all  of  these  features  when  your  switch  is  running  the  per-VLAN  spanning-tree  plus  (PVST+). 
You  can  configure  only  the  noted  features  when  your  switch  is  running  the  Multiple  Spanning  Tree 
Protocol  (MSTP)  or  the  rapid  per-VLAN  spanning-tree  plus  (rapid-PVST+)  protocol. 

For  information  on  configuring  the  PVST+  and  rapid  PVST+,  see  Chapter  12,  "Configuring  STP"  For 
information  about  the  Multiple  Spanning  Tree  Protocol  (MSTP)  and  how  to  map  multiple  VLANs  to  the 
same  spanning-tree  instance,  see  Chapter  13,  "Configuring  MSTP." 


For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

This  chapter  consists  of  these  sections: 

•  Understanding  Optional  Spanning-Tree  Features,  page  14-1 

•  Configuring  Optional  Spanning-Tree  Features,  page  14-9 

•  Displaying  the  Spanning-Tree  Status,  page  14-16 

Understanding  Optional  Spanning-Tree  Features 

These  sections  contain  this  conceptual  information: 

•  Understanding  Port  Fast,  page  14-2 

•  Understanding  BPDU  Guard,  page  14-2 

•  Understanding  BPDU  Filtering,  page  14-3 

•  Understanding  UplinkFast,  page  14-3 

•  Understanding  BackboneFast,  page  14-5 

•  Understanding  EtherChannel  Guard,  page  14-7 

•  Understanding  Root  Guard,  page  14-8 

•  Understanding  Loop  Guard,  page  14-9 


Note 
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Understanding  Port  Fast 

Port  Fast  immediately  brings  an  interface  configured  as  an  access  or  trunk  port  to  the  forwarding  state 
from  a  blocking  state,  bypassing  the  listening  and  learning  states. 

Port  Fast  is  enabled  by  default  on  interfaces  that  are  connected  to  a  blade  server  (ports  1  to  16),  as  shown 
in  Figure  14-1,  to  allow  those  devices  to  immediately  connect  to  the  network,  rather  than  waiting  for  the 
spanning  tree  to  converge. 

Interfaces  connected  to  a  blade  server  should  not  receive  bridge  protocol  data  units  (BPDUs).  An 
interface  with  Port  Fast  enabled  goes  through  the  normal  cycle  of  spanning-tree  status  changes  when  the 
switch  is  restarted. 

X   

Note      Because  the  purpose  of  Port  Fast  is  to  minimize  the  time  interfaces  must  wait  for  spanning-tree  to 

converge,  it  is  effective  only  when  used  on  interfaces  connected  to  end  stations.  If  you  enable  Port  Fast 
on  an  interface  connecting  to  another  switch,  you  risk  creating  a  spanning-tree  loop. 


You  can  enable  this  feature  by  using  the  spanning-tree  portfast  interface  configuration  or  the 
spanning-tree  portfast  default  global  configuration  command. 


Figure  14-1        Port  Fast-Enabled  Interfaces 


Blade  Servers  Blade  Servers 


Understanding  BPDU  Guard 

The  BPDU  guard  feature  can  be  globally  enabled  on  the  switch  or  can  be  enabled  per  port,  but  the  feature 
operates  with  some  differences. 

At  the  global  level,  you  enable  BPDU  guard  on  Port  Fast-enabled  ports  by  using  the  spanning-tree 
portfast  bpduguard  default  global  configuration  command.  Spanning  tree  shuts  down  ports  that  are  in 
a  Port  Fast-operational  state  if  any  BPDU  is  received  on  them.  In  a  valid  configuration,  Port  Fast-enabled 
ports  do  not  receive  BPDUs.  Receiving  a  BPDU  on  a  Port  Fast-enabled  port  means  an  invalid 
configuration,  such  as  the  connection  of  an  unauthorized  device,  and  the  BPDU  guard  feature  puts  the 
port  in  the  error-disabled  state.  When  this  happens,  the  switch  shuts  down  the  entire  port  on  which  the 
violation  occurred. 
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To  prevent  the  port  from  shutting  down,  you  can  use  the  errdisable  detect  cause  bpduguard  shutdown 

vlan  global  configuration  command  to  shut  down  just  the  offending  VLAN  on  the  port  where  the 
violation  occurred. 

At  the  interface  level,  you  enable  BPDU  guard  on  any  port  by  using  the  spanning-tree  bpduguard 
enable  interface  configuration  command  without  also  enabling  the  Port  Fast  feature.  When  the  port 
receives  a  BPDU,  it  is  put  in  the  error-disabled  state. 

The  BPDU  guard  feature  provides  a  secure  response  to  invalid  configurations  because  you  must 
manually  put  the  interface  back  in  service.  Use  the  BPDU  guard  feature  in  a  service-provider  network 
to  prevent  an  access  port  from  participating  in  the  spanning  tree. 

Understanding  BPDU  Filtering 

The  BPDU  filtering  feature  can  be  globally  enabled  on  the  switch  or  can  be  enabled  per  interface,  but 
the  feature  operates  with  some  differences. 

At  the  global  level,  you  can  enable  BPDU  filtering  on  Port  Fast-enabled  interfaces  by  using  the 
spanning-tree  portfast  bpdufilter  default  global  configuration  command.  This  command  prevents 
interfaces  that  are  in  a  Port  Fast-operational  state  from  sending  or  receiving  BPDUs.  The  interfaces  still 
send  a  few  BPDUs  at  link-up  before  the  switch  begins  to  filter  outbound  BPDUs.  You  should  globally 
enable  BPDU  filtering  on  a  switch  so  that  hosts  connected  to  these  interfaces  do  not  receive  BPDUs.  If 
a  BPDU  is  received  on  a  Port  Fast-enabled  interface,  the  interface  loses  its  Port  Fast-operational  status, 
and  BPDU  filtering  is  disabled. 

At  the  interface  level,  you  can  enable  BPDU  filtering  on  any  interface  by  using  the  spanning-tree 
bpdufilter  enable  interface  configuration  command  without  also  enabling  the  Port  Fast  feature.  This 
command  prevents  the  interface  from  sending  or  receiving  BPDUs. 


Enabling  BPDU  filtering  on  an  interface  is  the  same  as  disabling  spanning  tree  on  it  and  can  result  in 
spanning-tree  loops. 


You  can  enable  the  BPDU  filtering  feature  for  the  entire  switch  or  for  an  interface. 

Understanding  UplinkFast 

Switches  in  hierarchical  networks  can  be  grouped  into  backbone  switches,  distribution  switches,  and 
access  switches.  Figure  14-2  shows  a  complex  network  where  distribution  switches  and  access  switches 
each  have  at  least  one  redundant  link  that  spanning  tree  blocks  to  prevent  loops. 


A 

Caution 
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Figure  14-2        Switches  in  a  Hierarchical  Network 

Backbone  switches 


Root  bridge 


Active  link  Blade  switches 


  Blocked  link 

If  a  switch  loses  connectivity,  it  begins  using  the  alternate  paths  as  soon  as  the  spanning  tree  selects  a 
new  root  port.  By  enabling  UplinkFast  with  the  spanning-tree  uplinkfast  global  configuration 
command,  you  can  accelerate  the  choice  of  a  new  root  port  when  a  link  or  switch  fails  or  when  the 
spanning  tree  reconfigures  itself.  The  root  port  transitions  to  the  forwarding  state  immediately  without 
going  through  the  listening  and  learning  states,  as  it  would  with  the  normal  spanning-tree  procedures. 

When  the  spanning  tree  reconfigures  the  new  root  port,  other  interfaces  flood  the  network  with  multicast 
packets,  one  for  each  address  that  was  learned  on  the  interface.  You  can  limit  these  bursts  of  multicast 
traffic  by  reducing  the  max-update-rate  parameter  (the  default  for  this  parameter  is  150  packets  per 
second).  However,  if  you  enter  zero,  station-learning  frames  are  not  generated,  so  the  spanning-tree 
topology  converges  more  slowly  after  a  loss  of  connectivity. 

X   

Note      UplinkFast  is  most  useful  in  wiring-closet  switches  at  the  access  or  edge  of  the  network.  It  is  not 
appropriate  for  backbone  devices.  This  feature  might  not  be  useful  for  other  types  of  applications. 


UplinkFast  provides  fast  convergence  after  a  direct  link  failure  and  achieves  load  balancing  between 
redundant  Layer  2  links  using  uplink  groups.  An  uplink  group  is  a  set  of  Layer  2  interfaces  (per  VLAN), 
only  one  of  which  is  forwarding  at  any  given  time.  Specifically,  an  uplink  group  consists  of  the  root  port 
(which  is  forwarding)  and  a  set  of  blocked  ports,  except  for  self-looping  ports.  The  uplink  group 
provides  an  alternate  path  in  case  the  currently  forwarding  link  fails. 

Figure  14-3  shows  an  example  topology  with  no  link  failures.  Switch  A,  the  root  switch,  is  connected 
directly  to  Switch  B  over  link  LI  and  to  Switch  C  over  link  L2.  The  Layer  2  interface  on  Switch  C  that 
is  connected  directly  to  Switch  B  is  in  a  blocking  state. 
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Figure  14-3        UplinkFast  Example  Before  Direct  Link  Failure 

Switch  A 


(Root)  Switch  B 


If  Switch  C  detects  a  link  failure  on  the  currently  active  link  L2  on  the  root  port  (a  direct  link  failure), 
UplinkFast  unblocks  the  blocked  interface  on  Switch  C  and  transitions  it  to  the  forwarding  state  without 
going  through  the  listening  and  learning  states,  as  shown  in  Figure  14-4.  This  change  takes 
approximately  1  to  5  seconds. 

Figure  14-4        UplinkFast  Example  After  Direct  Link  Failure 

Switch  A 


(Root)  Switch  B 


Switch  C  3 

Understanding  BackboneFast 

BackboneFast  detects  indirect  failures  in  the  core  of  the  backbone.  BackboneFast  is  a  complementary 
technology  to  the  UplinkFast  feature,  which  responds  to  failures  on  links  directly  connected  to  access 
switches.  BackboneFast  optimizes  the  maximum-age  timer,  which  controls  the  amount  of  time  the 
switch  stores  protocol  information  received  on  an  interface.  When  a  switch  receives  an  inferior  BPDU 
from  the  designated  port  of  another  switch,  the  BPDU  is  a  signal  that  the  other  switch  might  have  lost 
its  path  to  the  root,  and  BackboneFast  tries  to  find  an  alternate  path  to  the  root. 

BackboneFast,  which  is  enabled  by  using  the  spanning-tree  backbonefast  global  configuration 
command,  starts  when  a  root  port  or  blocked  interface  on  a  switch  receives  inferior  BPDUs  from  its 
designated  switch.  An  inferior  BPDU  identifies  a  switch  that  declares  itself  as  both  the  root  bridge  and 
the  designated  switch.  When  a  switch  receives  an  inferior  BPDU,  it  means  that  a  link  to  which  the  switch 
is  not  directly  connected  (an  indirect  link)  has  failed  (that  is,  the  designated  switch  has  lost  its 
connection  to  the  root  switch).  Under  spanning-tree  rules,  the  switch  ignores  inferior  BPDUs  for  the 
configured  maximum  aging  time  specified  by  the  spanning-tree  vlan  vlan-id  max-age  global 
configuration  command. 
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The  switch  tries  to  find  if  it  has  an  alternate  path  to  the  root  switch.  If  the  inferior  BPDU  arrives  on  a 
blocked  interface,  the  root  port  and  other  blocked  interfaces  on  the  switch  become  alternate  paths  to  the 
root  switch.  (Self-looped  ports  are  not  considered  alternate  paths  to  the  root  switch.)  If  the  inferior 
BPDU  arrives  on  the  root  port,  all  blocked  interfaces  become  alternate  paths  to  the  root  switch.  If  the 
inferior  BPDU  arrives  on  the  root  port  and  there  are  no  blocked  interfaces,  the  switch  assumes  that  it  has 
lost  connectivity  to  the  root  switch,  causes  the  maximum  aging  time  on  the  root  port  to  expire,  and 
becomes  the  root  switch  according  to  normal  spanning-tree  rules. 

If  the  switch  has  alternate  paths  to  the  root  switch,  it  uses  these  alternate  paths  to  send  a  root  link  query 
(RLQ)  request.  The  switch  sends  the  RLQ  request  on  all  alternate  paths  and  waits  for  an  RLQ  reply  from 
other  switches  in  the  network. 

If  the  switch  discovers  that  it  still  has  an  alternate  path  to  the  root,  it  expires  the  maximum  aging  time 
on  the  interface  that  received  the  inferior  BPDU.  If  all  the  alternate  paths  to  the  root  switch  indicate  that 
the  switch  has  lost  connectivity  to  the  root  switch,  the  switch  expires  the  maximum  aging  time  on  the 
interface  that  received  the  RLQ  reply.  If  one  or  more  alternate  paths  can  still  connect  to  the  root  switch, 
the  switch  makes  all  interfaces  on  which  it  received  an  inferior  BPDU  its  designated  ports  and  moves 
them  from  the  blocking  state  (if  they  were  in  the  blocking  state),  through  the  listening  and  learning 
states,  and  into  the  forwarding  state. 

Figure  14-5  shows  an  example  topology  with  no  link  failures.  Switch  A,  the  root  switch,  connects 
directly  to  Switch  B  over  link  LI  and  to  Switch  C  over  link  L2.  The  Layer  2  interface  on  Switch  C  that 
connects  directly  to  Switch  B  is  in  the  blocking  state. 

Figure  14-5        BackboneFast  Example  Before  Indirect  Link  Failure 

Switch  A 


(Root)  Switch  B 


Switch  C  5 


If  link  LI  fails  as  shown  in  Figure  14-6,  Switch  C  cannot  detect  this  failure  because  it  is  not  connected 
directly  to  link  LI.  However,  because  Switch  B  is  directly  connected  to  the  root  switch  over  LI,  it 
detects  the  failure,  elects  itself  the  root,  and  begins  sending  BPDUs  to  Switch  C,  identifying  itself  as  the 
root.  When  Switch  C  receives  the  inferior  BPDUs  from  Switch  B,  Switch  C  assumes  that  an  indirect 
failure  has  occurred.  At  that  point,  BackboneFast  allows  the  blocked  interface  on  Switch  C  to  move 
immediately  to  the  listening  state  without  waiting  for  the  maximum  aging  time  for  the  interface  to 
expire.  BackboneFast  then  transitions  the  Layer  2  interface  on  Switch  C  to  the  forwarding  state, 
providing  a  path  from  Switch  B  to  Switch  A.  The  root-switch  election  takes  approximately  30  seconds, 
twice  the  Forward  Delay  time  if  the  default  Forward  Delay  time  of  15  seconds  is  set.  Figure  14-6  shows 
how  BackboneFast  reconfigures  the  topology  to  account  for  the  failure  of  link  LI. 
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Figure  14-6        BackboneFast  Example  After  Indirect  Link  Failure 

Switch  A 


(Root)  Switch  B 


Switch  C 


If  a  new  switch  is  introduced  into  a  shared-medium  topology  as  shown  in  Figure  14-7,  BackboneFast  is 
not  activated  because  the  inferior  BPDUs  did  not  come  from  the  recognized  designated  switch 
(Switch  B).  The  new  switch  begins  sending  inferior  BPDUs  that  indicate  it  is  the  root  switch.  However, 
the  other  switches  ignore  these  inferior  BPDUs,  and  the  new  switch  learns  that  Switch  B  is  the 
designated  switch  to  Switch  A,  the  root  switch. 

Figure  14-7        Adding  a  Switch  in  a  Shared-Medium  Topology 


Switch  A 
(Root) 


Switch  C 


Understanding  EtherChannel  Guard 

You  can  use  EtherChannel  guard  to  detect  an  EtherChannel  misconfiguration  between  the  switch  and  a 
connected  device.  A  misconfiguration  can  occur  if  the  switch  interfaces  are  configured  in  an 
EtherChannel,  but  the  interfaces  on  the  other  device  are  not.  A  misconfiguration  can  also  occur  if  the 
channel  parameters  are  not  the  same  at  both  ends  of  the  EtherChannel.  For  EtherChannel  configuration 
guidelines,  see  the  "EtherChannel  Configuration  Guidelines"  section  on  page  28-9. 

If  the  switch  detects  a  misconfiguration  on  the  other  device,  EtherChannel  guard  places  the  switch 
interfaces  in  the  error-disabled  state,  and  displays  an  error  message. 

You  can  enable  this  feature  by  using  the  spanning-tree  etherchannel  guard  misconfig  global 
configuration  command. 
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Understanding  Root  Guard 

The  Layer  2  network  of  a  service  provider  (SP)  can  include  many  connections  to  switches  that  are  not 
owned  by  the  SP.  In  such  a  topology,  the  spanning  tree  can  reconfigure  itself  and  select  a  customer 
switch  as  the  root  switch,  as  shown  in  Figure  14-8.  You  can  avoid  this  situation  by  enabling  root  guard 
on  SP  switch  interfaces  that  connect  to  switches  in  your  customer's  network.  If  spanning-tree 
calculations  cause  an  interface  in  the  customer  network  to  be  selected  as  the  root  port,  root  guard  then 
places  the  interface  in  the  root-inconsistent  (blocked)  state  to  prevent  the  customer's  switch  from 
becoming  the  root  switch  or  being  in  the  path  to  the  root. 

If  a  switch  outside  the  SP  network  becomes  the  root  switch,  the  interface  is  blocked  (root-inconsistent 
state),  and  spanning  tree  selects  a  new  root  switch.  The  customer's  switch  does  not  become  the  root 
switch  and  is  not  in  the  path  to  the  root. 

If  the  switch  is  operating  in  multiple  spanning-tree  (MST)  mode,  root  guard  forces  the  interface  to  be  a 
designated  port.  If  a  boundary  port  is  blocked  in  an  internal  spanning-tree  (1ST)  instance  because  of  root 
guard,  the  interface  also  is  blocked  in  all  MST  instances.  A  boundary  port  is  an  interface  that  connects 
to  a  LAN,  the  designated  switch  of  which  is  either  an  IEEE  802.  ID  switch  or  a  switch  with  a  different 
MST  region  configuration. 

Root  guard  enabled  on  an  interface  applies  to  all  the  VLANs  to  which  the  interface  belongs.  VLANs  can 
be  grouped  and  mapped  to  an  MST  instance. 

You  can  enable  this  feature  by  using  the  spanning-tree  guard  root  interface  configuration  command. 

A   

Caution      Misuse  of  the  root-guard  feature  can  cause  a  loss  of  connectivity. 


Figure  14-8        Root  Guard  in  a  Service-Provider  Network 


Customer  network 


Potential 
spanning-tree  root  without 
root  guard  enabled 


Service-provider  network 

f 


Desired 
root  switch 


Enable  the  root-guard  feature 
on  these  interfaces  to  prevent 
switches  in  the  customer 
network  from  becoming 
the  root  switch  or  being 
in  the  path  to  the  root. 
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Understanding  Loop  Guard 

You  can  use  loop  guard  to  prevent  alternate  or  root  ports  from  becoming  designated  ports  because  of  a 
failure  that  leads  to  a  unidirectional  link.  This  feature  is  most  effective  when  it  is  enabled  on  the  entire 
switched  network.  Loop  guard  prevents  alternate  and  root  ports  from  becoming  designated  ports,  and 
spanning  tree  does  not  send  BPDUs  on  root  or  alternate  ports. 

You  can  enable  this  feature  by  using  the  spanning-tree  loopguard  default  global  configuration 
command. 

When  the  switch  is  operating  in  PVST+  or  rapid-PVST+  mode,  loop  guard  prevents  alternate  and  root 
ports  from  becoming  designated  ports,  and  spanning  tree  does  not  send  BPDUs  on  root  or  alternate  ports. 

When  the  switch  is  operating  in  MST  mode,  BPDUs  are  not  sent  on  nonboundary  ports  only  if  the 
interface  is  blocked  by  loop  guard  in  all  MST  instances.  On  a  boundary  port,  loop  guard  blocks  the 
interface  in  all  MST  instances. 

Configuring  Optional  Spanning-Tree  Features 

These  sections  contain  this  configuration  information: 

•  Default  Optional  Spanning-Tree  Configuration,  page  14-9 

•  Optional  Spanning-Tree  Configuration  Guidelines,  page  14-10 

•  Enabling  Port  Fast,  page  14-10  (optional) 

•  Enabling  BPDU  Guard,  page  14-11  (optional) 

•  Enabling  BPDU  Filtering,  page  14-12  (optional) 

•  Enabling  UplinkFast  for  Use  with  Redundant  Links,  page  14-13  (optional) 

•  Enabling  BackboneFast,  page  14-13  (optional) 

•  Enabling  EtherChannel  Guard,  page  14-14  (optional) 

•  Enabling  Root  Guard,  page  14-15  (optional) 

•  Enabling  Loop  Guard,  page  14-15  (optional) 

Default  Optional  Spanning-Tree  Configuration 


Table  14-1  shows  the  default  optional  spanning-tree  configuration. 
Table  14-1         Default  Optional  Spanning-Tree  Configuration 


Feature 

Default  Setting 

Port  Fast,  BPDU  filtering,  BPDU  guard 

Globally  disabled  (unless  they  are  individually  configured 
per  interface). 

UplinkFast 

Globally  disabled. 

BackboneFast 

Globally  disabled. 

EtherChannel  guard 

Globally  enabled. 

Root  guard 

Disabled  on  all  interfaces. 

Loop  guard 

Disabled  on  all  interfaces. 
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Optional  Spanning-Tree  Configuration  Guidelines 

You  can  configure  PortFast,  BPDU  guard,  BPDU  filtering,  EtherChannel  guard,  root  guard,  or  loop 
guard  if  your  switch  is  running  PVST+,  rapid  PVST+,  or  MSTP 

You  can  configure  the  UplinkFast  or  the  BackboneFast  feature  for  rapid  PVST+  or  for  the  MSTP,  but 
the  feature  remains  disabled  (inactive)  until  you  change  the  spanning-tree  mode  to  PVST+. 


Enabling  Port  Fast 

An  interface  with  the  Port  Fast  feature  enabled  is  moved  directly  to  the  spanning-tree  forwarding  state 
without  waiting  for  the  standard  forward-time  delay. 

A   

Caution      Use  Port  Fast  only  when  connecting  a  single  end  station  to  an  access  or  trunk  port.  Enabling  this  feature 
on  an  interface  connected  to  a  switch  or  hub  could  prevent  spanning  tree  from  detecting  and  disabling 
loops  in  your  network,  which  could  cause  broadcast  storms  and  address-learning  problems. 


If  you  enable  the  voice  VLAN  feature,  the  Port  Fast  feature  is  automatically  enabled.  When  you  disable 
voice  VLAN,  the  Port  Fast  feature  is  not  automatically  disabled.  For  more  information,  see  Chapter  11, 
"Configuring  Voice  VLAN." 

You  can  enable  this  feature  if  your  switch  is  running  PVST+,  rapid  PVST+,  or  MSTP. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  Port  Fast.  This  procedure  is  optional. 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

Step  2     interface  interface-id 

Specify  an  interface  to  configure,  and  enter  interface 
configuration  mode. 

Step  3     spanning-tree  portfast  [trunk] 

Enable  Port  Fast  on  an  access  port  connected  to  a  single 
workstation  or  server.  By  specifying  the  trunk  keyword,  you  can 
enable  Port  Fast  on  a  trunk  port. 

Note     To  enable  Port  Fast  on  trunk  ports,  you  must  use  the 
spanning-tree  portfast  trunk  interface  configuration 
command.  The  spanning-tree  portfast  command  will 
not  work  on  trunk  ports. 

A 

Caution     Make  sure  that  there  are  no  loops  in  the  network 

between  the  trunk  port  and  the  workstation  or  server 
before  you  enable  Port  Fast  on  a  trunk  port. 

By  default,  Port  Fast  is  disabled  on  all  interfaces. 

Step  4  end 

Return  to  privileged  EXEC  mode. 

Step  5     show  spanning-tree  interface  interface-id 
portfast 

Verify  your  entries. 

Step  6     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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N   

Note      You  can  use  the  spanning-tree  portfast  default  global  configuration  command  to  globally  enable  the 
Port  Fast  feature  on  all  nontrunking  ports. 


To  disable  the  Port  Fast  feature,  use  the  spanning-tree  portfast  disable  interface  configuration 
command. 


Enabling  BPDU  Guard 

When  you  globally  enable  BPDU  guard  on  ports  that  are  Port  Fast-enabled  (the  ports  are  in  a  Port 
Fast-operational  state),  spanning  tree  shuts  down  Port  Fast-enabled  ports  that  receive  BPDUs. 

In  a  valid  configuration,  Port  Fast-enabled  ports  do  not  receive  BPDUs.  Receiving  a  BPDU  on  a  Port 
Fast-enabled  port  means  an  invalid  configuration,  such  as  the  connection  of  an  unauthorized  device,  and 
the  BPDU  guard  feature  puts  the  port  in  the  error-disabled  state.  When  this  happens,  the  switch  shuts 
down  the  entire  port  on  which  the  violation  occurred. 

To  prevent  the  port  from  shutting  down,  you  can  use  the  errdisable  detect  cause  bpduguard  shutdown 

vlan  global  configuration  command  to  shut  down  just  the  offending  VLAN  on  the  port  where  the 
violation  occurred. 

The  BPDU  guard  feature  provides  a  secure  response  to  invalid  configurations  because  you  must 
manually  put  the  port  back  in  service.  Use  the  BPDU  guard  feature  in  a  service-provider  network  to 
prevent  an  access  port  from  participating  in  the  spanning  tree. 

A   

Caution      Configure  Port  Fast  only  on  ports  that  connect  to  end  stations;  otherwise,  an  accidental  topology  loop 
could  cause  a  data  packet  loop  and  disrupt  switch  and  network  operation. 


You  also  can  use  the  spanning-tree  bpduguard  enable  interface  configuration  command  to  enable 
BPDU  guard  on  any  port  without  also  enabling  the  Port  Fast  feature.  When  the  port  receives  a  BPDU,  it 
is  put  it  in  the  error-disabled  state. 

You  can  enable  the  BPDU  guard  feature  if  your  switch  is  running  PVST+,  rapid  PVST+,  or  MSTP 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  globally  enable  the  BPDU  guard  feature.  This 
procedure  is  optional. 


Step  1 
Step  2 


Step  4 
Step  5 
Step  6 
Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  portfast  bpduguard  default 

Globally  enable  BPDU  guard. 

By  default,  BPDU  guard  is  disabled. 

interface  interface-id 

Specify  the  interface  connected  to  an  end  station,  and  enter 
interface  configuration  mode. 

spanning-tree  portfast 

Enable  the  Port  Fast  feature. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  disable  BPDU  guard,  use  the  no  spanning-tree  portfast  bpduguard  default  global  configuration 
command. 

You  can  override  the  setting  of  the  no  spanning-tree  portfast  bpduguard  default  global  configuration 
command  by  using  the  spanning-tree  bpduguard  enable  interface  configuration  command. 


Enabling  BPDU  Filtering 

When  you  globally  enable  BPDU  filtering  on  Port  Fast-enabled  interfaces,  it  prevents  interfaces  that  are 
in  a  Port  Fast-operational  state  from  sending  or  receiving  BPDUs.  The  interfaces  still  send  a  few  BPDUs 
at  link-up  before  the  switch  begins  to  filter  outbound  BPDUs.  You  should  globally  enable  BPDU 
filtering  on  a  switch  so  that  hosts  connected  to  these  interfaces  do  not  receive  BPDUs.  If  a  BPDU  is 
received  on  a  Port  Fast-enabled  interface,  the  interface  loses  its  Port  Fast-operational  status,  and  BPDU 
filtering  is  disabled. 

A   

Caution      Configure  Port  Fast  only  on  interfaces  that  connect  to  end  stations;  otherwise,  an  accidental  topology 
loop  could  cause  a  data  packet  loop  and  disrupt  switch  and  network  operation. 


You  can  also  use  the  spanning-tree  bpdufilter  enable  interface  configuration  command  to  enable 
BPDU  filtering  on  any  interface  without  also  enabling  the  Port  Fast  feature.  This  command  prevents  the 
interface  from  sending  or  receiving  BPDUs. 

A   

Caution      Enabling  BPDU  filtering  on  an  interface  is  the  same  as  disabling  spanning  tree  on  it  and  can  result  in 
spanning-tree  loops. 


You  can  enable  the  BPDU  filtering  feature  if  your  switch  is  running  PVST+,  rapid  PVST+,  or  MSTP 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  globally  enable  the  BPDU  filtering  feature. 
This  procedure  is  optional. 


Step  1 
Step  2 

Step  3 


Step  5 
Step  6 
Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  portfast  bpdufilter  default 

Globally  enable  BPDU  filtering. 

By  default,  BPDU  filtering  is  disabled. 

interface  interface-id 

Specify  the  interface  connected  to  an  end  station,  and  enter 
interface  configuration  mode. 

spanning-tree  portfast 

Enable  the  Port  Fast  feature. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  BPDU  filtering,  use  the  no  spanning-tree  portfast  bpdufilter  default  global  configuration 
command. 

You  can  override  the  setting  of  the  no  spanning-tree  portfast  bpdufilter  default  global  configuration 
command  by  using  the  spanning-tree  bpdufilter  enable  interface  configuration  command. 
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Enabling  UplinkFast  for  Use  with  Redundant  Links 

UplinkFast  cannot  be  enabled  on  VLANs  that  have  been  configured  with  a  switch  priority.  To  enable 
UplinkFast  on  a  VLAN  with  switch  priority  configured,  first  restore  the  switch  priority  on  the  VLAN  to 
the  default  value  by  using  the  no  spanning-tree  vlan  vlan-id  priority  global  configuration  command. 

V   

Note      When  you  enable  UplinkFast,  it  affects  all  VLANs  on  the  switch.  You  cannot  configure  UplinkFast  on 
an  individual  VLAN. 


You  can  configure  the  UplinkFast  feature  for  rapid  PVST+  or  for  the  MSTP,  but  the  feature  remains 
disabled  (inactive)  until  you  change  the  spanning-tree  mode  to  PVST+. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  UplinkFast.  This  procedure  is 
optional. 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

spanning-tree  uplinkfast  [max-update-rate 

pkts-per-second] 

Enable  UplinkFast. 

(Optional)  For  pkts-per-second,  the  range  is  0  to  32000  packets  per 
second;  the  default  is  150. 

If  you  set  the  rate  to  0,  station-learning  frames  are  not  generated, 
and  the  spanning-tree  topology  converges  more  slowly  after  a  loss 
of  connectivity. 

end 

Return  to  privileged  EXEC  mode. 

show  spanning-tree  summary 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

When  UplinkFast  is  enabled,  the  switch  priority  of  all  VLANs  is  set  to  49152.  If  you  change  the  path 
cost  to  a  value  less  than  3000  and  you  enable  UplinkFast  or  UplinkFast  is  already  enabled,  the  path  cost 
of  all  interfaces  and  VLAN  trunks  is  increased  by  3000  (if  you  change  the  path  cost  to  3000  or  above, 
the  path  cost  is  not  altered).  The  changes  to  the  switch  priority  and  the  path  cost  reduce  the  chance  that 
a  switch  will  become  the  root  switch. 

When  UplinkFast  is  disabled,  the  switch  priorities  of  all  VLANs  and  path  costs  of  all  interfaces  are  set 
to  default  values  if  you  did  not  modify  them  from  their  defaults. 

To  return  the  update  packet  rate  to  the  default  setting,  use  the  no  spanning-tree  uplinkfast 
max-update-rate  global  configuration  command.  To  disable  UplinkFast,  use  the  no  spanning-tree 
uplinkfast  command. 


Enabling  BackboneFast 

You  can  enable  BackboneFast  to  detect  indirect  link  failures  and  to  start  the  spanning-tree 
reconfiguration  sooner. 

%   

Note      If  you  use  BackboneFast,  you  must  enable  it  on  all  switches  in  the  network.  BackboneFast  is  not 
supported  on  Token  Ring  VLANs.  This  feature  is  supported  for  use  with  third-party  switches. 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  j 


14-13 


S    Configuring  Optional  Spanning-Tree  Features 


Chapter  14     Configuring  Optional  Spanning-Tree  Features  | 


You  can  configure  the  BackboneFast  feature  for  rapid  PVST+  or  for  the  MSTP,  but  the  feature  remains 
disabled  (inactive)  until  you  change  the  spanning-tree  mode  to  PVST+. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  BackboneFast.  This  procedure  is 
optional. 


Command 
Step  1     configure  terminal 
Step  2     spanning-tree  backbonefast 
Step  3  end 

Step  4     show  spanning-tree  summary 
Step  5     copy  running-config  startup-config 


Purpose 

Enter  global  configuration  mode. 
Enable  BackboneFast. 
Return  to  privileged  EXEC  mode. 
Verify  your  entries. 

(Optional)  Save  your  entries  in  the  configuration  file. 


To  disable  the  BackboneFast  feature,  use  the  no  spanning-tree  backbonefast  global  configuration 
command. 


Enabling  EtherChannel  Guard 

You  can  enable  EtherChannel  guard  to  detect  an  EtherChannel  misconfiguration  if  your  switch  is 
running  PVST+,  rapid  PVST+,  or  MSTP. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  EtherChannel  guard.  This  procedure 
is  optional. 


Command 

Step  1     configure  terminal 

Step  2     spanning-tree  etherchannel  guard 
misconfig 

Step  3  end 

Step  4     show  spanning-tree  summary 
Step  5     copy  running-config  startup-config 


Purpose 

Enter  global  configuration  mode. 
Enable  EtherChannel  guard. 


Return  to  privileged  EXEC  mode. 
Verify  your  entries. 

(Optional)  Save  your  entries  in  the  configuration  file. 


To  disable  the  EtherChannel  guard  feature,  use  the  no  spanning-tree  etherchannel  guard  misconfig 
global  configuration  command. 

You  can  use  the  show  interfaces  status  err-disabled  privileged  EXEC  command  to  show  which  switch 
ports  are  disabled  because  of  an  EtherChannel  misconfiguration.  On  the  remote  device,  you  can  enter 
the  show  etherchannel  summary  privileged  EXEC  command  to  verify  the  EtherChannel  configuration. 

After  the  configuration  is  corrected,  enter  the  shutdown  and  no  shutdown  interface  configuration 
commands  on  the  port-channel  interfaces  that  were  misconfigured. 
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Enabling  Root  Guard 


Step  1 
Step  2 
Step  3 

Step  4 
Step  5 
Step  6 


Root  guard  enabled  on  an  interface  applies  to  all  the  VLANs  to  which  the  interface  belongs.  Do  not 
enable  the  root  guard  on  interfaces  to  be  used  by  the  UplinkFast  feature.  With  UplinkFast,  the  backup 
interfaces  (in  the  blocked  state)  replace  the  root  port  in  the  case  of  a  failure.  However,  if  root  guard  is 
also  enabled,  all  the  backup  interfaces  used  by  the  UplinkFast  feature  are  placed  in  the  root-inconsistent 
state  (blocked)  and  are  prevented  from  reaching  the  forwarding  state. 

V   

Note      You  cannot  enable  both  root  guard  and  loop  guard  at  the  same  time. 

You  can  enable  this  feature  if  your  switch  is  running  PVST+,  rapid  PVST+,  or  MSTP. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  root  guard  on  an  interface.  This 
procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  an  interface  to  configure,  and  enter  interface  configuration  mode. 

spanning-tree  guard  root 

Enable  root  guard  on  the  interface. 

By  default,  root  guard  is  disabled  on  all  interfaces. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  root  guard,  use  the  no  spanning-tree  guard  interface  configuration  command. 


Enabling  Loop  Guard 

You  can  use  loop  guard  to  prevent  alternate  or  root  ports  from  becoming  designated  ports  because  of  a 
failure  that  leads  to  a  unidirectional  link.  This  feature  is  most  effective  when  it  is  configured  on  the  entire 
switched  network.  Loop  guard  operates  only  on  interfaces  that  are  considered  point-to-point  by  the 
spanning  tree. 

X   

Note      You  cannot  enable  both  loop  guard  and  root  guard  at  the  same  time. 


You  can  enable  this  feature  if  your  switch  is  running  PVST+,  rapid  PVST+,  or  MSTP. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  loop  guard.  This  procedure  is  optional. 


Command 

Purpose 

Step  1 

show  spanning-tree  active 

or 

show  spanning-tree  mst 

Verify  which  interfaces  are  alternate  or  root  ports. 

Step  2 

configure  terminal 

Enter  global  configuration  mode. 
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Command 

Purpose 

Step  3 

spanning-tree  loopguard  default 

Enable  loop  guard. 

By  default,  loop  guard  is  disabled. 

Step  4 

end 

Return  to  privileged  EXEC  mode. 

Step  5 

show  running-config 

Verify  your  entries. 

Step  6 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  globally  disable  loop  guard,  use  the  no  spanning-tree  loopguard  default  global  configuration 
command.  You  can  override  the  setting  of  the  no  spanning-tree  loopguard  default  global  configuration 
command  by  using  the  spanning-tree  guard  loop  interface  configuration  command. 


Displaying  the  Spanning-Tree  Status 


To  display  the  spanning-tree  status,  use  one  or  more  of  the  privileged  EXEC  commands  in  Table  14-2: 
Table  14-2  Commands  for  Displaying  the  Spanning-Tree  Status 


Command 

Purpose 

show  spanning-tree  active 

Displays  spanning-tree  information  on  active  interfaces  only. 

show  spanning-tree  detail 

Displays  a  detailed  summary  of  interface  information. 

show  spanning-tree  interface  interface-id 

Displays  spanning-tree  information  for  the  specified  interface. 

show  spanning-tree  mst  interface  interface-id 

Displays  MST  information  for  the  specified  interface. 

show  spanning-tree  summary  [totals] 

Displays  a  summary  of  interface  states  or  displays  the  total  lines  of  the 
spanning-tree  state  section. 

You  can  clear  spanning-tree  counters  by  using  the  clear  spanning-tree  [interface  interface-id] 
privileged  EXEC  command. 

For  information  about  other  keywords  for  the  show  spanning-tree  privileged  EXEC  command,  see  the 
command  reference  for  this  release. 
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Configuring  Flex  Links  and  the  MAC 
Address-Table  Move  Update  Feature 


This  chapter  describes  how  to  configure  Flex  Links,  a  pair  of  interfaces  on  the  switch  that  provide  a 
mutual  backup.  It  also  describes  how  to  configure  the  MAC  address-table  move  update  feature,  also 
referred  to  as  the  Flex  Links  bidirectional  fast  convergence  feature. 

%   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

The  chapter  consists  of  these  sections: 

•  Understanding  Flex  Links  and  the  MAC  Address-Table  Move  Update,  page  15-1 

•  Configuring  Flex  Links  and  MAC  Address-Table  Move  Update,  page  15-5 

•  Monitoring  Flex  Links  and  the  MAC  Address-Table  Move  Update,  page  15-11 

Understanding  Flex  Links  and  the  MAC  Address-Table 
Move  Update 

This  section  contains  this  information: 

•  Flex  Links,  page  15-1 

•  VLAN  Flex  Link  Load  Balancing  and  Support,  page  15-2 

•  MAC  Address-Table  Move  Update,  page  15-3 

Flex  Links 

Flex  Links  are  a  pair  of  a  Layer  2  interfaces  (switch  ports  or  port  channels)  where  one  interface  is 
configured  to  act  as  a  backup  to  the  other.  The  feature  provides  an  alternative  solution  to  the  Spanning 
Tree  Protocol  (STP).  Users  can  disable  STP  and  still  retain  basic  link  redundancy.  Flex  Links  are 
typically  configured  in  service  provider  or  enterprise  networks  where  customers  do  not  want  to  run  STP 
on  the  switch.  If  the  switch  is  running  STP,  Flex  Links  is  not  necessary  because  STP  already  provides 
link-level  redundancy  or  backup. 
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You  configure  Flex  Links  on  one  Layer  2  interface  (the  active  link)  by  assigning  another  Layer  2 
interface  as  the  Flex  Link  or  backup  link.  When  one  of  the  links  is  up  and  forwarding  traffic,  the  other 
link  is  in  standby  mode,  ready  to  begin  forwarding  traffic  if  the  other  link  shuts  down.  At  any  given  time, 
only  one  of  the  interfaces  is  in  the  linkup  state  and  forwarding  traffic.  If  the  primary  link  shuts  down, 
the  standby  link  starts  forwarding  traffic.  When  the  active  link  comes  back  up,  it  goes  into  standby  mode 
and  does  not  forward  traffic.  STP  is  disabled  on  Flex  Link  interfaces. 

In  Figure  15-1,  ports  1  and  2  on  switch  A  are  connected  to  uplink  switches  B  and  C.  Because  they  are 
configured  as  Flex  Links,  only  one  of  the  interfaces  is  forwarding  traffic;  the  other  is  in  standby  mode. 
If  port  1  is  the  active  link,  it  begins  forwarding  traffic  between  port  1  and  switch  B;  the  link  between 
port  2  (the  backup  link)  and  switch  C  is  not  forwarding  traffic.  If  port  1  goes  down,  port  2  comes  up  and 
starts  forwarding  traffic  to  switch  C.  When  port  1  comes  back  up,  it  goes  into  standby  mode  and  does 
not  forward  traffic;  port  2  continues  forwarding  traffic. 

You  can  also  choose  to  configure  a  preemption  mechanism,  specifying  the  preferred  port  for  forwarding 
traffic.  For  example,  in  the  example  in  Figure  15-1,  you  can  configure  the  Flex  Links  pair  with 
preemption  mode.  In  the  scenario  shown,  when  port  1  comes  back  up  and  has  more  bandwidth  than  port 
2,  port  1  begins  forwarding  traffic  after  60  seconds.  Port  2  becomes  the  standby  port.  You  do  this  by 
entering  the  interface  configuration  switchport  backup  interface  preemption  mode  bandwidth  and 
switchport  backup  interface  preemption  delay  commands. 


Figure  15-1         Flex  Links  Configuration  Example 


Switch  A 


If  a  primary  (forwarding)  link  goes  down,  a  trap  notifies  the  network  management  stations.  If  the  standby 
link  goes  down,  a  trap  notifies  the  users. 

Flex  Links  are  supported  only  on  Layer  2  ports  and  port  channels,  not  on  VLANs. 

VLAN  Flex  Link  Load  Balancing  and  Support 

VLAN  Flex  Link  load-balancing  allows  users  to  configure  a  Flex  Link  pair  so  that  both  ports 
simultaneously  forward  the  traffic  for  some  mutually  exclusive  VLANs.  For  example,  if  Flex  Link  ports 
are  configured  for  1-100  VLANs,  the  traffic  of  the  first  50  VLANs  can  be  forwarded  on  one  port  and  the 
rest  on  the  other  port.  If  one  of  the  ports  fail,  the  other  active  port  forwards  all  the  traffic.  'When  the 
failed  port  comes  back  up,  it  resumes  forwarding  traffic  in  the  preferred  vlans.  This  way, 
apart  from  providing  the  redundancy,  this  Flex  Link  pair  can  be  used  for  load  balancing.  Also,  Flex  Link 
VLAN  load-balancing  does  not  impose  any  restrictions  on  uplink  switches. 
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Figure  15-2         VLAN  Flex  Links  Load  Balancing  Configuration  Example 


MAC  Address-Table  Move  Update 

The  MAC  address-table  move  update  feature  allows  the  switch  to  provide  rapid  bidirectional 
convergence  when  a  primary  (forwarding)  link  goes  down  and  the  standby  link  begins  forwarding 
traffic. 

In  Figure  15-3,  switch  A  is  an  access  switch,  and  ports  1  and  2  on  switch  A  are  connected  to  uplink 
switches  B  and  D  through  a  Flex  Link  pair.  Port  1  is  forwarding  traffic,  and  port  2  is  in  the  backup  state. 
Traffic  from  the  PC  to  the  server  is  forwarded  from  port  1  to  port  3.  The  MAC  address  of  the  PC  has 
been  learned  on  port  3  of  switch  C.  Traffic  from  the  server  to  the  PC  is  forwarded  from  port  3  to  port  1. 

If  the  MAC  address-table  move  update  feature  is  not  configured  and  port  1  goes  down,  port  2  starts 
forwarding  traffic.  However,  for  a  short  time,  switch  C  keeps  forwarding  traffic  from  the  server  to  the 
PC  through  port  3,  and  the  PC  does  not  get  the  traffic  because  port  1  is  down.  If  switch  C  removes  the 
MAC  address  of  the  PC  on  port  3  and  relearns  it  on  port  4,  traffic  can  then  be  forwarded  from  the  server 
to  the  PC  through  port  2. 

If  the  MAC  address-table  move  update  feature  is  configured  and  enabled  on  the  switches  in  Figure  15-3 
and  port  1  goes  down,  port  2  starts  forwarding  traffic  from  the  PC  to  the  server.  The  switch  sends  a  MAC 
address-table  move  update  packet  from  port  2.  Switch  C  gets  this  packet  on  port  4  and  immediately 
learns  the  MAC  address  of  the  PC  on  port  4,  which  reduces  the  reconvergence  time. 

You  can  configure  the  access  switch,  switch  A,  to  send  MAC  address-table  move  update  messages.  You 
can  also  configure  the  uplink  switches  B,  C,  and  D  to  get  and  process  the  MAC  address-table  move 
update  messages.  When  switch  C  gets  a  MAC  address-table  move  update  message  from  switch  A, 
switch  C  learns  the  MAC  address  of  the  PC  on  port  4.  Switch  C  updates  the  MAC  address  table, 
including  the  forwarding  table  entry  for  the  PC.  The  switch  then  starts  forwarding  traffic  from  the  server 
to  the  PC  through  port  4,  which  reduces  the  loss  of  traffic  from  the  server  to  the  PC. 
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Configuring  Flex  Links  and  MAC  Address-Table  Move  Update 

These  sections  contain  this  information: 

•  Configuration  Guidelines,  page  15-5 

•  Default  Configuration,  page  15-5 

Configuration  Guidelines 

Follow  these  guidelines  to  configure  Flex  Links: 

•  You  can  configure  only  one  Flex  Link  backup  link  for  any  active  link,  and  it  must  be  a  different 
interface  from  the  active  interface. 

•  An  interface  can  belong  to  only  one  Flex  Link  pair.  An  interface  can  be  a  backup  link  for  only  one 
active  link.  An  active  link  cannot  belong  to  another  Flex  Link  pair. 

•  Neither  of  the  links  can  be  a  port  that  belongs  to  an  EtherChannel.  However,  you  can  configure  two 
port  channels  (EtherChannel  logical  interfaces)  as  Flex  Links,  and  you  can  configure  a  port  channel 
and  a  physical  interface  as  Flex  Links,  with  either  the  port  channel  or  the  physical  interface  as  the 
active  link. 

•  A  backup  link  does  not  have  to  be  the  same  type  (Gigabit  Ethernet,  or  port  channel)  as  the  active 
link.  However,  you  should  configure  both  Flex  Links  with  similar  characteristics  so  that  there  are 
no  loops  or  changes  in  behavior  if  the  standby  link  begins  to  forward  traffic. 

•  STP  is  disabled  on  Flex  Link  ports.  A  Flex  Link  port  does  not  participate  in  STP,  even  if  the  VLANs 
present  on  the  port  are  configured  for  STP.  When  STP  is  not  enabled,  be  sure  that  there  are  no  loops 
in  the  configured  topology. 

Follow  this  guideline  to  configure  VLAN  load  balancing  on  the  Flex  Links  feature: 

For  Flex  Link  VLAN  load  balancing,  you  must  choose  the  preferred  VLANs  on  the  backup 
interface. 

Follow  these  guidelines  to  configure  MAC  address-table  move  update  feature: 

•  You  can  enable  and  configure  this  feature  on  the  access  switch  to  send  the  MAC  address-table  move 
updates. 

•  You  can  enable  and  configure  this  feature  on  the  uplink  switches  to  get  the  MAC  address-table  move 
updates. 

Default  Configuration 

The  Flex  Links  are  not  configured,  and  there  are  no  backup  interfaces  defined. 

The  preemption  mode  is  off. 

The  preemption  delay  is  35  seconds. 

The  MAC  address-table  move  update  feature  is  not  configured  on  the  switch. 
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Configuring  Flex  Links  and  MAC  Address-Table  Move  Update 

This  section  contains  this  information: 

•  Configuring  Flex  Links,  page  15-6 

•  Configuring  VLAN  Load  Balancing  on  Flex  Links,  page  15-8 

•  Configuring  the  MAC  Address-Table  Move  Update  Feature,  page  15-9 


Configuring  Flex  Links 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  pair  of  Flex  Links: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface,  and  enter  interface  configuration 
mode.  The  interface  can  be  a  physical  Layer  2  interface  or 
a  port  channel  (logical  interface).  The  port-channel  range 
is  1  to  48. 

switchport  backup  interface  interface-id 

Configure  a  physical  Layer  2  interface  (or  port  channel) 
as  part  of  a  Flex  Link  pair  with  the  interface.  When  one 
link  is  forwarding  traffic,  the  other  interface  is  in  standby 
mode. 

end 

Return  to  privileged  EXEC  mode. 

show  interface  [interface-id]  switchport  backup 

Verify  the  configuration. 

copy  running-config  startup  config 

(Optional)  Save  your  entries  in  the  switch  startup 
configuration  file. 

This  example  shows  how  to  configure  an  interface  with  a  backup  interface  and  to  verify  the 
configuration: 

Switch*  configure  terminal 

Switch ( conf ) #  interface  gigabitethernetO/1 

Switch ( conf -if ) #  switchport  backup  interface  gigabitethernetO/2 

Swi tch ( conf -if ) #  end 


Switch#  show  interface  switchport  backup 

Switch  Backup  Interface  Pairs: 

Active  Interface  Backup  Interface  State 


GigabitEthernetO/1  GigabitEthernetO/2  Active  Up/Backup  Standby 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  preemption  scheme  for  a  pair  of 
Flex  Links: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface,  and  enter  interface  configuration 
mode.  The  interface  can  be  a  physical  Layer  2  interface  or 
a  port  channel  (logical  interface).  The  port-channel  range 
is  1  to  48. 

switchport  backup  interface  interface-id 

Configure  a  physical  Layer  2  interface  (or  port  channel) 
as  part  of  a  Flex  Links  pair  with  the  interface.  When  one 
link  is  forwarding  traffic,  the  other  interface  is  in  standby 
mode. 

switchport  backup  interface  interface-id  preemption 
mode  [forced  I  bandwidth  I  off] 

Configure  a  preemption  mechanism  and  delay  for  a  Flex 
Link  interface  pair.  You  can  configure  the  preemption  as: 

•  Forced — the  active  interface  always  preempts  the 
backup. 

•  Bandwidth — the  interface  with  the  higher  bandwidth 
always  acts  as  the  active  interface. 

•  Off — no  preemption  happens  from  active  to  backup. 

switchport  backup  interface  interface-id  preemption 
delay  delay-time 

Configure  the  time  delay  until  a  port  preempts  another 
port. 

Note     Setting  a  delay  time  only  works  with  forced  and 
bandwidth  modes. 

end 

Return  to  privileged  EXEC  mode. 

show  interface  [interface-id]  switchport  backup 

Verify  the  configuration. 

copy  running-config  startup  config 

(Optional)  Save  your  entries  in  the  switch  startup 
configuration  file. 

This  example  shows  how  to  configure  the  preemption  mode  as  forced  for  a  backup  interface  pair  and  to 
verify  the  configuration: 

Switch#  configure  terminal 

Switch ( conf ) #  interface  gigabitethernetO/1 

Switch ( conf -if ) #switchport  backup  interface  gigabitethernetO/2  preemption  mode  forced 
Switch (conf -if ) #switchport  backup  interface  gigabitethernetO/2  preemption  delay  50 

Switch (conf -if ) #  end 


Switch*  show  interface  switchport  backup  detail 

Active  Interface  Backup  Interface  State 


GigabitEthernetO/21  GigabitEthernetO/2  Active  Up/Backup  Standby 
Interface  Pair   :   Gi0/1,  GiO/2 
Preemption  Mode   :  forced 
Preemption  Delay  :   50  seconds 

Bandwidth   :    100000  Kbit    (Gi0/1),    100000  Kbit  (GiO/2) 
Mac  Address  Move  Update  Vlan  :  auto 
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Configuring  VLAN  Load  Balancing  on  Flex  Links 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  VLAN  load  balancing  on  Flex 
Links: 


Step  3 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface,  and  enter  interface  configuration 
mode.  The  interface  can  be  a  physical  Layer  2  interface  or 
a  port  channel  (logical  interface).  The  port-channel  range 
is  1  to  48. 

switchport  backup  interface  interface-id  prefer  vlan 
vlan-id 

Configure  a  physical  Layer  2  interface  (or  port  channel) 
as  part  of  a  Flex  Links  pair  with  the  interface.  When  one 
link  is  forwarding  traffic,  the  other  interface  is  in  standby 
mode. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  [interface-id]  switchport  backup 

Verify  the  configuration. 

copy  running-config  startup  config 

(Optional)  Save  your  entries  in  the  switch  startup 
configuration  file. 

In  the  following  example,  VLANs  1  to  50,  60,  and  100  to  120  are  configured  on  the  switch: 

Switch (config) #interface  gigabitEthernet  0/6 

Switch ( config-if ) #switchport  backup  interface  gigabitEthernet  0/8  prefer  vlan  60,100-120 

When  both  interfaces  are  up,  Gi0/8  forwards  traffic  for  VLANs  60  and  100  to  120  and  GiO/6  forwards 
traffic  for  VLANs  1  to  50. 

Switch#show  interfaces  switchport  backup 

Switch  Backup  Interface  Pairs: 

Active  Interface  Backup  Interface  State 


GigabitEthernetO/6         GigabitEthernetO / 8        Active  Up/Backup  Standby 

Vlans  Preferred  on  Active  Interface:  1-50 

Vlans  Preferred  on  Backup  Interface:    60,  100-120 

When  a  Flex  Link  interface  goes  down  (LINK_DOWN),  VLANs  preferred  on  this  interface  are  moved 
to  the  peer  interface  of  the  Flex  Link  pair.  In  this  example,  if  interface  GiO/6  goes  down,  Gi0/8  carries 
all  VLANs  of  the  Flex  Link  pair. 

Switch#show  interfaces  switchport  backup 

Switch  Backup  Interface  Pairs: 


Active  Interface  Backup  Interface  State 

GigabitEthernetO/ 6         GigabitEthernetO / 8         Active  Down/Backup  Up 

Vlans  Preferred  on  Active  Interface:  1-50 

Vlans  Preferred  on  Backup  Interface:   60,  100-120 
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When  a  Flex  Link  interface  comes  up,  VLANs  preferred  on  this  interface  are  blocked  on  the  peer 
interface  and  moved  to  the  forwarding  state  on  the  interface  that  has  just  come  up.  In  this  example,  if 
interface  GiO/6  comes  up,  VLANs  preferred  on  this  interface  are  blocked  on  the  peer  interface  GiO/8  and 
forwarded  on  GiO/6. 

Switch#show  interfaces  switchport  backup 

Switch  Backup  Interface  Pairs : 

Active  Interface  Backup  Interface  State 

GigabitEthernetO/6         GigabitEthernetO / 8         Active  Up/Backup  Standby 

Vlans  Preferred  on  Active  Interface:  1-50 

Vlans  Preferred  on  Backup  Interface:   60,  100-120 

Switch#show  interfaces  switchport  backup  detail 

Switch  Backup  Interface  Pairs: 

Active  Interface  Backup  Interface  State 

FastEthernetO / 3  FastEthernetO/4  Active  Down/Backup  Up 

Vlans  Preferred  on  Active  Interface:  1-2,5-4094 
Vlans  Preferred  on  Backup  Interface:  3-4 
Preemption  Mode     :  off 

Bandwidth   :   10000  Kbit   (FaO/3),    100000  Kbit  (FaO/4) 
Mac  Address  Move  Update  Vlan  :  auto 


Configuring  the  MAC  Address-Table  Move  Update  Feature 

This  section  contains  this  information: 

•  Configuring  a  switch  to  send  MAC  address-table  move  updates 

•  Configuring  a  switch  to  get  MAC  address-table  move  updates 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  an  access  switch  to  send  MAC 
address-table  move  updates: 


Command 

Purpose 

Step  1    configure  terminal 

Enter  global  configuration  mode. 

Step  2    interface  interface-id 

Specify  the  interface,  and  enter  interface  configuration 
mode.  The  interface  can  be  a  physical  Layer  2  interface  or 
a  port  channel  (logical  interface).  The  port-channel  range 
is  1  to  48. 

Step  3    switchport  backup  interface  interface-id 
or 

switchport  backup  interface  interface-id  mmu 
primary  vlan  vlan-id 

Configure  a  physical  Layer  2  interface  (or  port  channel), 
as  part  of  a  Flex  Link  pair  with  the  interface.  The  MAC 
address-table  move  update  VLAN  is  the  lowest  VLAN  ID 
on  the  interface. 

Configure  a  physical  Layer  2  interface  (or  port  channel) 
and  specify  the  VLAN  ID  on  the  interface,  which  is  used 
for  sending  the  MAC  address-table  move  update. 

When  one  link  is  forwarding  traffic,  the  other  interface  is 
in  standby  mode. 
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Command 

Purpose 

end 

Return  to  global  configuration  mode. 

mac  address-table  move  update  transmit 

Enable  the  access  switch  to  send  MAC  address-table 
move  updates  to  other  switches  in  the  network  if  the 
primary  link  goes  down  and  the  switch  starts  forwarding 
traffic  through  the  standby  link. 

end 

Return  to  privileged  EXEC  mode. 

show  mac  address-table  move  update 

Verify  the  configuration. 

copy  running-config  startup  config 

(Optional)  Save  your  entries  in  the  switch  startup 
configuration  file. 

To  disable  the  MAC  address-table  move  update  feature,  use  the  no  mac  address-table  move  update 
transmit  interface  configuration  command.  To  display  the  MAC  address-table  move  update 
information,  use  the  show  mac  address-table  move  update  privileged  EXEC  command. 

This  example  shows  how  to  configure  an  access  switch  to  send  MAC  address-table  move  update 
messages: 

Switch*  configure  terminal 

Switch (conf ) #  interface  gigabitethernetO/1 

Switch (conf -if ) #  switchport  backup  interface  gigabitethernetO/2  mmu  primary  vlan  2 

Switch (conf -if ) #  exit 

Switch (conf ) #  mac  address-table  move  update  transmit 

Switch (conf ) #  end 


This  example  shows  how  to  verify  the  configuration: 

Switch#  show  mac-address-table  move  update 

Switch-ID   :    010b . 463 0 . 17 80 

Dst  mac-address    :    0180 . c200 . 0010 

Vlans/Macs  supported   :  1023/8320 

Default/Current  settings:   Rev  Off /On,   Xmt  Off /On 

Max  packets  per  min   :   Rev  40,   Xmt  60 

Rev  packet  count   :  5 

Rev  conforming  packet  count   :  5 

Rev  invalid  packet  count    :  0 

Rev  packet  count  this  min   :  0 

Rev  threshold  exceed  count   :  0 

Rev  last  sequence!  this  min  :  0 

Rev  last  interface   :  Po2 

Rev  last  sre-mac-address    :    000b . 462d . c502 

Rev  last  switch-ID   :    0403 . f d6a . 87 00 

Xmt  packet  count    :  0 

Xmt  packet  count  this  min   :  0 

Xmt  threshold  exceed  count   :  0 

Xmt  pak  buf  unavail  cnt   :  0 

Xmt  last  interface   :  None 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  switch  to  get  and  process  MAC 
address-table  move  update  messages: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

mac  address-table  move  update  receive 

Enable  the  switch  to  get  and  process  the  MAC 

address-table  move  updates. 
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Command 

Purpose 

Step  3 

end 

Return  to  privileged  EXEC  mode. 

Step  4 

show  mac  address-table  move  update 

Verify  the  configuration. 

Step  5 

copy  running-conflg  startup  config 

(Optional)  Save  your  entries  in  the  switch  startup 

configuration  file. 

To  disable  the  MAC  address-table  move  update  feature,  use  the  no  mac  address-table  move  update 
receive  configuration  command.  To  display  the  MAC  address-table  move  update  information,  use  the 
show  mac  address-table  move  update  privileged  EXEC  command. 

This  example  shows  how  to  configure  a  switch  to  get  and  process  MAC  address-table  move  update 
messages: 

Switch#  configure  terminal 

Switch ( conf ) #  mac  address-table  move  update  receive 

Switch (conf ) #  end 

Monitoring  Flex  Links  and  the  MAC  Address-Table 
Move  Update 

Table  15-1  shows  the  privileged  EXEC  commands  for  monitoring  the  Flex  Links  configuration  and  the 
MAC  address-table  move  update  information. 


Table  15- 1         Flex  Links  and  MAC  Address-Table  Move  Update  Monitoring  Commands 


Command 

Purpose 

show  interface 
[interface-id]  switchport 
backup 

Displays  the  Flex  Link  backup  interface  configured  for  an  interface  or 
all  the  configured  Flex  Links  and  the  state  of  each  active  and  backup 
interface  (up  or  standby  mode). 

show  mac  address-table 
move  update 

Displays  the  MAC  address-table  move  update  information  on  the 
switch. 

I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


15-11 


 Chapter  15     Configuring  Flex  Links  and  the  MAC  Address-Table  Move  Update  Feature  | 

H    Monitoring  Flex  Links  and  the  MAC  Address-Table  Move  Update 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


15-12 


380261-003  I 


CHAPTER 


Configuring  DHCP  Features 


This  chapter  describes  how  to  configure  DHCP  snooping  and  the  option-82  data  insertion  features  on 
the  switch. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 

reference  for  this  release,  and  see  the  "DHCP  Commands"  section  in  the  Cisco  IOS  IP  Command 

Reference,  Volume  1  of  3:  Addressing  and  Services,  Release  12.2. 

This  chapter  consists  of  these  sections: 

•  Understanding  DHCP  Features,  page  16-1 

•  Configuring  DHCP  Features,  page  16-5 

•  Displaying  DHCP  Snooping  Information,  page  16-9 

Understanding  DHCP  Features 

DHCP  is  widely  used  in  LAN  environments  to  dynamically  assign  host  IP  addresses  from  a  centralized 
server,  which  significantly  reduces  the  overhead  of  administration  of  IP  addresses.  DHCP  also  helps 
conserve  the  limited  IP  address  space  because  IP  addresses  no  longer  need  to  be  permanently  assigned 
to  hosts;  only  those  hosts  that  are  connected  to  the  network  consume  IP  addresses. 

These  sections  contain  this  information: 

•  DHCP  Server,  page  16-2 

•  DHCP  Relay  Agent,  page  16-2 

•  DHCP  Snooping,  page  16-2 

•  Option-82  Data  Insertion,  page  16-3 

For  information  about  the  DHCP  client,  see  the  "Configuring  DHCP"  section  of  the  " IP  Addressing  and 
Services"  section  of  the  Cisco  IOS  IP  Configuration  Guide,  Release  12.2. 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


16-1 


H    Understanding  DHCP  Features 


Chapter  16     Configuring  DHCP  Features  | 


DHCP  Server 

The  DHCP  server  assigns  IP  addresses  from  specified  address  pools  on  a  switch  or  router  to  DHCP 
clients  and  manages  them.  If  the  DHCP  server  cannot  give  the  DHCP  client  the  requested  configuration 
parameters  from  its  database,  it  forwards  the  request  to  one  or  more  secondary  DHCP  servers  defined 
by  the  network  administrator. 

DHCP  Relay  Agent 

A  DHCP  relay  agent  is  a  Layer  3  device  that  forwards  DHCP  packets  between  clients  and  servers.  Relay 
agents  forward  requests  and  replies  between  clients  and  servers  when  they  are  not  on  the  same  physical 
subnet.  Relay  agent  forwarding  is  different  from  the  normal  Layer  2  forwarding,  in  which  IP  datagrams 
are  switched  transparently  between  networks.  Relay  agents  receive  DHCP  messages  and  generate  new 
DHCP  messages  to  send  on  output  interfaces. 

DHCP  Snooping 

DHCP  snooping  is  a  DHCP  security  feature  that  provides  network  security  by  filtering  untrusted  DHCP 
messages  and  by  building  and  maintaining  a  DHCP  snooping  binding  database,  also  referred  to  as  a 
DHCP  snooping  binding  table.  For  more  information  about  this  database,  see  the  "Displaying  DHCP 
Snooping  Information"  section  on  page  16-9. 

DHCP  snooping  acts  like  a  firewall  between  untrusted  hosts  and  DHCP  servers.  You  use  DHCP 
snooping  to  differentiate  between  untrusted  interfaces  connected  to  the  end  user  and  trusted  interfaces 
connected  to  the  DHCP  server  or  another  switch. 

%   

Note      For  DHCP  snooping  to  function  properly,  all  DHCP  servers  must  be  connected  to  the  switch  through 
trusted  interfaces. 


An  untrusted  DHCP  message  is  a  message  that  is  received  from  outside  the  network  or  firewall.  When 
you  use  DHCP  snooping  in  a  service-provider  environment,  an  untrusted  message  is  sent  from  a  device 
that  is  not  in  the  service-provider  network,  such  as  a  customer's  switch.  Messages  from  unknown 
devices  are  untrusted  because  they  can  be  sources  of  traffic  attacks. 

The  DHCP  snooping  binding  database  has  the  MAC  address,  the  IP  address,  the  lease  time,  the  binding 
type,  the  VLAN  number,  and  the  interface  information  that  corresponds  to  the  local  untrusted  interfaces 
of  a  switch.  It  does  not  have  information  regarding  hosts  interconnected  with  a  trusted  interface. 

In  a  service-provider  network,  a  trusted  interface  is  connected  to  a  port  on  a  device  in  the  same  network. 
An  untrusted  interface  is  connected  to  an  untrusted  interface  in  the  network  or  to  an  interface  on  a  device 
that  is  not  in  the  network. 

When  a  switch  receives  a  packet  on  an  untrusted  interface  and  the  interface  belongs  to  a  VLAN  in  which 
DHCP  snooping  is  enabled,  the  switch  compares  the  source  MAC  address  and  the  DHCP  client  hardware 
address.  If  the  addresses  match  (the  default),  the  switch  forwards  the  packet.  If  the  addresses  do  not 
match,  the  switch  drops  the  packet. 
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The  switch  drops  a  DHCP  packet  when  one  of  these  situations  occurs: 

•  A  packet  from  a  DHCP  server,  such  as  a  DHCPOFFER,  DHCPACK,  DHCPNAK,  or 
DHCPLEASEQUERY  packet,  is  received  from  outside  the  network  or  firewall. 

•  A  packet  is  received  on  an  untrusted  interface,  and  the  source  MAC  address  and  the  DHCP  client 
hardware  address  do  not  match. 

•  The  switch  receives  a  DHCPRELEASE  or  DHCPDECLINE  broadcast  message  that  has  a  MAC 
address  in  the  DHCP  snooping  binding  database,  but  the  interface  information  in  the  binding 
database  does  not  match  the  interface  on  which  the  message  was  received. 

•  A  DHCP  relay  agent  forwards  a  DHCP  packet  that  includes  a  relay-agent  IP  address  that  is  not 
0.0.0.0,  or  the  relay  agent  forwards  a  packet  that  includes  option-82  information  to  an  untrusted  port. 

If  the  switch  is  an  aggregation  switch  supporting  DHCP  snooping  and  is  connected  to  an  edge  switch 
that  is  inserting  DHCP  option-82  information,  the  switch  drops  packets  with  option-82  information  when 
packets  are  received  on  an  untrusted  interface.  If  DHCP  snooping  is  enabled  and  packets  are  received 
on  a  trusted  port,  the  aggregation  switch  does  not  learn  the  DHCP  snooping  bindings  for  connected 
devices  and  cannot  build  a  complete  DHCP  snooping  binding  database. 

When  an  aggregation  switch  can  be  connected  to  an  edge  switch  through  an  untrusted  interface  and  you 
enter  the  ip  dhcp  snooping  information  option  allow-untrusted  global  configuration  command,  the 
aggregation  switch  accepts  packets  with  option-82  information  from  the  edge  switch.  The  aggregation 
switch  learns  the  bindings  for  hosts  connected  through  an  untrusted  switch  interface.  The  DHCP  security 
features  can  still  be  enabled  on  the  aggregation  switch  while  the  switch  receives  packets  with  option-82 
information  on  untrusted  input  interfaces  to  which  hosts  are  connected.  The  port  on  the  edge  switch  that 
connects  to  the  aggregation  switch  must  be  configured  as  a  trusted  interface. 

Option-82  Data  Insertion 

In  residential,  metropolitan  Ethernet-access  environments,  DHCP  can  centrally  manage  the  IP  address 
assignments  for  a  large  number  of  subscribers.  When  the  DHCP  option-82  feature  is  enabled  on  the 
switch,  a  subscriber  device  is  identified  by  the  switch  port  through  which  it  connects  to  the  network  (in 
addition  to  its  MAC  address).  Multiple  hosts  on  the  subscriber  LAN  can  be  connected  to  the  same  port 
on  the  access  switch  and  are  uniquely  identified. 


The  DHCP  option-82  feature  is  supported  only  when  DHCP  snooping  is  globally  enabled  and  on  the 
VLANs  to  which  subscriber  devices  using  this  feature  are  assigned. 


Figure  16-1  on  page  16-4  is  an  example  of  a  metropolitan  Ethernet  network  in  which  a  centralized  DHCP 
server  assigns  IP  addresses  to  subscribers  connected  to  the  switch  at  the  access  layer.  Because  the  DHCP 
clients  and  their  associated  DHCP  server  do  not  reside  on  the  same  IP  network  or  subnet,  a  DHCP  relay 
agent  (the  Catalyst  switch)  is  configured  with  a  helper  address  to  enable  broadcast  forwarding  and  to 
transfer  DHCP  messages  between  the  clients  and  the  server. 


Note 
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Figure  16- 1        DHCP  Relay  Agent  in  a  Metropolitan  Ethernet  Network 


When  you  enable  the  DHCP  snooping  information  option  82  on  the  switch,  this  sequence  of 
events  occurs: 

•  The  Blade  Server  (DHCP  client)  generates  a  DHCP  request  and  broadcasts  it  on  the  network. 

•  When  the  blade  switch  receives  the  DHCP  request,  it  adds  the  option-82  information  in  the  packet. 
remote-ID  suboption  is  the  switch  MAC  address,  and  the  circuit-ID  suboption  is  the  port  identifier, 
vlan-mod-port,  from  which  the  packet  is  received. 

•  If  the  IP  address  of  the  relay  agent  is  configured,  the  switch  adds  this  IP  address  in  the  DHCP  packet. 

•  The  blade  switch  forwards  the  DHCP  request  that  includes  the  option-82  field  to  the  DHCP  server. 

•  The  DHCP  server  receives  the  packet.  If  the  server  is  option-82-capable,  it  can  use  the  remote  ID, 
the  circuit  ID,  or  both  to  assign  IP  addresses  and  implement  policies,  such  as  restricting  the  number 
of  IP  addresses  that  can  be  assigned  to  a  single  remote  ID  or  circuit  ID.  Then  the  DHCP  server 
echoes  the  option-82  field  in  the  DHCP  reply. 

•  The  DHCP  server  unicasts  the  reply  to  the  blade  switch  if  the  request  was  relayed  to  the  server  by 
the  switch.  The  switch  verifies  that  it  originally  inserted  the  option-82  data  by  inspecting  the 
remote  ID  and  possibly  the  circuit  ID  fields.  The  switch  removes  the  option-82  field  and  forwards 
the  packet  to  the  switch  port  that  connects  to  the  DHCP  client  that  sent  the  DHCP  request. 

When  the  described  sequence  of  events  occurs,  the  values  in  these  fields  in  Figure  16-2  do  not  change: 

•  Circuit-ID  suboption  fields 

-  Suboption  type 

-  Length  of  the  suboption  type 

-  Circuit-ID  type 

-  Length  of  the  circuit-ID  type 

•  Remote-ID  suboption  fields 

-  Suboption  type 

-  Length  of  the  suboption  type 

-  Remote-ID  type 

-  Length  of  the  remote-ID  type 
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In  the  port  field  of  the  circuit  ID  suboption,  the  port  numbers  start  at  1.  For  example,  on  a  CGESM 
switch,  which  has  24  ports,  port  1  is  the  Gigabit  Ethernet  0/1  port,  port  2  is  the  Gigabit  Ethernet  0/2  port, 
port  3  is  the  Gigabit  Ethernet  0/3  port,  and  so  on.  Because  ports  19,  20,  21,  and  22  are  small  form-factor 
pluggable  (SFP)  modules,  port  19  is  the  SFP  module  slot  0/1,  port  20  is  the  SFP  module  slot  0/2,  port 
21  is  the  SFP  module  slot  0/3  and  port  22  is  the  SFP  module  slot  0/4. 

Figure  16-2  shows  the  packet  formats  for  the  remote-ID  suboption  and  the  circuit-ID  suboption  The 
switch  uses  the  packet  formats  when  you  globally  enable  DHCP  snooping  and  enter  the  ip  dhcp 
snooping  information  option  global  configuration  command. 


Figure  16-2  Suboption  Packet  Formats 
Circuit  ID  Suboption  Frame  Format 


Suboption 
type 


Length 


Circuit 
ID  type 


Length 


1 — ' — 1 

I — * — 

1 

6 

0 

4 

VLAN 

Module 

Port 

1  byte  1  byte  1  byte  1  byte    2  bytes      1  byte  1  byte 


Remote  ID  Suboption  Frame  Format 


Suboption  Remote 
type  ID  type 

Length  Length 

-I — i — >r — i — \ — r 
8        0  6 


MAC  address 


1  byte  1  byte  1  byte  1  byte 


6  bytes 


Configuring  DHCP  Features 

These  sections  contain  this  configuration  information: 

•  Default  DHCP  Configuration,  page  16-5 

•  DHCP  Snooping  Configuration  Guidelines,  page  16-6 

•  Configuring  the  DHCP  Relay  Agent,  page  16-7 

•  Enabling  DHCP  Snooping  and  Option  82,  page  16-7 

Default  DHCP  Configuration 

Table  16-1  shows  the  default  DHCP  configuration. 
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Table  16- 1         Default  DHCP  Configuration 


Feature 

Default  Setting 

DHCP  server 

Enabled  in  Cisco  IOS  software,  requires 
configuration1 

DHCP  relay  agent 

Enabled2 

DHCP  packet  forwarding  address 

None  configured 

Checking  the  relay  agent  information 

■  i      ill/-         i*i                                   i  i\9 

Enabled  (invalid  messages  are  dropped) 

DHCP  relay  agent  forwarding  policy 

r\         i              .1                •     i •                 i                          ,    •      r                 .  '  9 

Replace  the  existing  relay  agent  information 

I  -x  I  1  /~1  1~\                                   '  1111111 

DHCP  snooping  enabled  globally 

Disabled 

DHCP  snooping  information  option 

Enabled 

DHCP  snooping  option  to  accept  packets  on 
untrusted  input  interfaces3 

Disabled 

DHCP  snooping  limit  rate 

None  configured 

DHCP  snooping  trust 

Untrusted 

DHCP  snooping  VLAN 

Disabled 

DHCP  snooping  MAC  address  verification 

Enabled 

1.  The  switch  responds  to  DHCP  requests  only  if  it  is  configured  as  a  DHCP  server. 

2.  The  switch  relays  DHCP  packets  only  if  the  IP  address  of  the  DHCP  server  is  configured  on  the  SVI  of  the  DHCP  client. 

3.  Use  this  feature  when  the  switch  is  an  aggregation  switch  that  receives  packets  with  option-82  information  from  an  edge 
switch. 


DHCP  Snooping  Configuration  Guidelines 

These  are  the  configuration  guidelines  for  DHCP  snooping. 

•  You  must  globally  enable  DHCP  snooping  on  the  switch. 

•  DHCP  snooping  is  not  active  until  DHCP  snooping  is  enabled  on  a  VLAN. 

•  Before  globally  enabling  DHCP  snooping  on  the  switch,  make  sure  that  the  devices  acting  as  the 
DHCP  server  and  the  DHCP  relay  agent  are  configured  and  enabled. 

•  When  you  globally  enable  DHCP  snooping  on  the  switch,  these  Cisco  IOS  commands  are  not 
available  until  snooping  is  disabled.  If  you  enter  these  commands,  the  switch  returns  an  error 
message,  and  the  configuration  is  not  applied. 

-  ip  dhcp  relay  information  check  global  configuration  command 

-  ip  dhcp  relay  information  policy  global  configuration  command 

-  ip  dhcp  relay  information  trust-all  global  configuration  command 

-  ip  dhcp  relay  information  trusted  interface  configuration  command 

•  Before  configuring  the  DHCP  snooping  information  option  on  your  switch,  be  sure  to  configure  the 
device  that  is  acting  as  the  DHCP  server.  For  example,  you  must  specify  the  IP  addresses  that  the 
DHCP  server  can  assign  or  exclude,  or  you  must  configure  DHCP  options  for  these  devices. 

•  If  the  DHCP  relay  agent  is  enabled  but  DHCP  snooping  is  disabled,  the  DHCP  option-82  data 
insertion  feature  is  not  supported. 
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•  If  a  switch  port  is  connected  to  a  DHCP  server,  configure  a  port  as  trusted  by  entering  the  ip  dhcp 
snooping  trust  interface  configuration  command. 

•  If  a  switch  port  is  connected  to  a  DHCP  client,  configure  a  port  as  untrusted  by  entering  the  no  ip 
dhcp  snooping  trust  interface  configuration  command. 

•  Do  not  enter  the  ip  dhcp  snooping  information  option  allow-untrusted  command  on  an 
aggregation  switch  to  which  an  untrusted  device  is  connected.  If  you  enter  this  command,  an 
untrusted  device  might  spoof  the  option-82  information. 

•  Starting  with  Cisco  IOS  Release  12.2(37)SE,  you  can  display  DHCP  snooping  statistics  by  entering 
the  show  ip  dhcp  snooping  statistics  user  EXEC  command,  and  you  can  clear  the  snooping 
statistics  counters  by  entering  the  clear  ip  dhcp  snooping  statistics  privileged  EXEC  command. 

Configuring  the  DHCP  Relay  Agent 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  the  DHCP  relay  agent  on  the  switch: 


Step  1 
Step  2 


Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

service  dhcp 

Enable  the  DHCP  server  and  relay  agent  on  your  switch.  By  default,  this 
feature  is  enabled. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  the  DHCP  server  and  relay  agent,  use  the  no  service  dhcp  global  configuration  command. 

See  the  "Configuring  DHCP"  section  of  the  "IP  Addressing  and  Services"  section  of  the  Cisco  IOS  IP 
Configuration  Guide,  Release  12.2  for  these  procedures: 

•  Checking  (validating)  the  relay  agent  information 

•  Configuring  the  relay  agent  forwarding  policy 

Enabling  DHCP  Snooping  and  Option  82 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  DHCP  snooping  on  the  switch: 


Command  Purpose 
Step  1      configure  terminal  Enter  global  configuration  mode. 

Step  2     ip  dhcp  snooping  Enable  DHCP  snooping  globally. 

Step  3     ip  dhcp  snooping  vlan  vlan-range  Enable  DHCP  snooping  on  a  VLAN  or  range  of  VLANs.  The  range  is  1 

to  4094. 

You  can  enter  a  single  VLAN  ID  identified  by  VLAN  ID  number,  a  series 
of  VLAN  IDs  separated  by  commas,  a  range  of  VLAN  IDs  separated  by 
hyphens,  or  a  range  of  VLAN  IDs  separated  by  entering  the  starting  and 
ending  VLAN  IDs  separated  by  a  space. 
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Command 

Purpose 

ip  dhcp  snooping  information  option 

Enable  the  switch  to  insert  and  remove  DHCP  relay  information 
(option-82  field)  in  forwarded  DHCP  request  messages  to  the  DHCP 
server.  This  is  the  default  setting. 

ip  dhcp  snooping  information  option 
allow-untrusted 

(Optional)  If  the  switch  is  an  aggregation  switch  connected  to  an  edge 
switch,  enable  the  switch  to  accept  incoming  DHCP  snooping  packets 
with  option-82  information  from  the  edge  switch. 

The  default  setting  is  disabled. 

Note     Enter  this  command  only  on  aggregation  switches  that  are 
connected  to  trusted  devices. 

interface  interface-id 

Specify  the  interface  to  be  configured,  and  enter  interface  configuration 
mode. 

ip  dhcp  snooping  trust 

(Optional)  Configure  the  interface  as  trusted  or  untrusted.  You  can  use 
the  no  keyword  to  configure  an  interface  to  receive  messages  from  an 
untrusted  client.  The  default  setting  is  untrusted. 

ip  dhcp  snooping  limit  rate  rate 

(Optional)  Configure  the  number  of  DHCP  packets  per  second  that  an 
interface  can  receive.  The  range  is  1  to  2048.  By  default,  no  rate  limit  is 
configured. 

Note     We  recommend  an  untrusted  rate  limit  of  not  more  than  100 
packets  per  second.  If  you  configure  rate  limiting  for  trusted 
interfaces,  you  might  need  to  increase  the  rate  limit  if  the  port  is 
a  trunk  port  assigned  to  more  than  one  VLAN  on  which  DHCP 
snooping  is  enabled. 

exit 

Return  to  global  configuration  mode. 

ip  dhcp  snooping  verify  mac-address 

(Optional)  Configure  the  switch  to  verily  that  the  source  MAC  address  in 
a  DHCP  packet  that  is  received  on  untrusted  ports  matches  the  client 
hardware  address  in  the  packet.  The  default  is  to  verify  that  the  source 
MAC  address  matches  the  client  hardware  address  in  the  packet. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  DHCP  snooping,  use  the  no  ip  dhcp  snooping  global  configuration  command.  To  disable 
DHCP  snooping  on  a  VLAN  or  range  of  VLANs,  use  the  no  ip  dhcp  snooping  vlan  vlan-range  global 
configuration  command.  To  disable  the  insertion  and  removal  of  the  option-82  field,  use  the  no  ip  dhcp 
snooping  information  option  global  configuration  command.  To  configure  an  aggregation  switch  to 
drop  incoming  DHCP  snooping  packets  with  option-82  information  from  an  edge  switch,  use  the  no  ip 
dhcp  snooping  information  option  allow-untrusted  global  configuration  command. 

This  example  shows  how  to  enable  DHCP  snooping  globally  and  on  VLAN  10  and  to  configure  a  rate 
limit  of  100  packets  per  second  on  a  port: 

Switch (config) #  ip  dhcp  snooping 

Switch (config) #  ip  dhcp  snooping  vlan  10 

Switch (config) #  ip  dhcp  snooping  information  option 

Switch (config) #  interface  gigabitethernetO/1 

Switch (config-if) #  ip  dhcp  snooping  limit  rate  100 
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Enabling  the  Cisco  I0S  DHCP  Server  Database 

For  procedures  to  enable  and  configure  the  Cisco  IOS  DHCP  server  database,  see  the  "DHCP 
Configuration  Task  List"  section  in  the  "Configuring  DHCP"  chapter  of  the  Cisco  IOS  IP  Configuration 
Guide,  Release  12.2. 

Displaying  DHCP  Snooping  Information 

To  display  the  DHCP  snooping  information,  use  one  or  more  of  the  privileged  EXEC  commands  in 
Table  16-2: 


Table  16-2  Commands  for  Displaying  DHCP  Information 


Command 

Purpose 

show  ip  dhcp  snooping 

Displays  the  DHCP  snooping  configuration  for  a  switch 

show  ip  dhcp  snooping  binding 

Displays  only  the  dynamically  configured  bindings  in  the  DHCP  snooping  binding 
database,  also  referred  to  as  a  binding  table. 

show  ip  dhcp  snooping  statistics 

Displays  the  DHCP  snooping  statistics  in  summary  or  detail  form. 

Note      If  DHCP  snoopin 

g  is  enabled  and  an  interface  changes  to  the  down  state,  the  switch  does  not  delete  the 

statically  configured  bindings. 
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Configuring  IGMP  Snooping  and  MVR 


This  chapter  describes  how  to  configure  Internet  Group  Management  Protocol  (IGMP)  snooping  on  the 
switch,  including  an  application  of  local  IGMP  snooping,  Multicast  VLAN  Registration  (MVR).  It  also 
includes  procedures  for  controlling  multicast  group  membership  by  using  IGMP  filtering  and  procedures 
for  configuring  the  IGMP  throttling  action. 

%   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  switch 

command  reference  for  this  release  and  the  "IP  Multicast  Routing  Commands"  section  in  the  Cisco  IOS 

IP  Command  Reference,  Volume  3  of  3: Multicast,  Release  12.2. 

This  chapter  consists  of  these  sections: 

•  Understanding  IGMP  Snooping,  page  17-1 

•  Configuring  IGMP  Snooping,  page  17-6 

•  Displaying  IGMP  Snooping  Information,  page  17-15 

•  Understanding  Multicast  VLAN  Registration,  page  17-17 

•  Configuring  MVR,  page  17-19 

•  Displaying  MVR  Information,  page  17-23 

•  Configuring  IGMP  Filtering  and  Throttling,  page  17-23 

•  Displaying  IGMP  Filtering  and  Throttling  Configuration,  page  17-28 

X   

Note      You  can  either  manage  IP  multicast  group  addresses  through  features  such  as  IGMP  snooping  and  MVR, 
or  you  can  use  static  IP  addresses. 


Understanding  IGMP  Snooping 

Layer  2  switches  can  use  IGMP  snooping  to  constrain  the  flooding  of  multicast  traffic  by  dynamically 
configuring  Layer  2  interfaces  so  that  multicast  traffic  is  forwarded  to  only  those  interfaces  associated 
with  IP  multicast  devices.  As  the  name  implies,  IGMP  snooping  requires  the  LAN  switch  to  snoop  on 
the  IGMP  transmissions  between  the  host  and  the  router  and  to  keep  track  of  multicast  groups  and 
member  ports.  When  the  switch  receives  an  IGMP  report  from  a  host  for  a  particular  multicast  group, 
the  switch  adds  the  host  port  number  to  the  forwarding  table  entry;  when  it  receives  an  IGMP  Leave 
Group  message  from  a  host,  it  removes  the  host  port  from  the  table  entry.  It  also  periodically  deletes 
entries  if  it  does  not  receive  IGMP  membership  reports  from  the  multicast  clients. 
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N   

Note      For  more  information  on  IP  multicast  and  IGMP,  see  RFC  1112  and  RFC  2236. 


The  multicast  router  sends  out  periodic  general  queries  to  all  VLANs.  All  hosts  interested  in  this 
multicast  traffic  send  join  requests  and  are  added  to  the  forwarding  table  entry.  The  switch  creates  one 
entry  per  VLAN  in  the  IGMP  snooping  IP  multicast  forwarding  table  for  each  group  from  which  it 
receives  an  IGMP  join  request. 

The  switch  supports  IP  multicast  group-based  bridging,  rather  than  MAC-addressed  based  groups.  With 
multicast  MAC  address-based  groups,  if  an  IP  address  being  configured  translates  (aliases)  to  a 
previously  configured  MAC  address  or  to  any  reserved  multicast  MAC  addresses  (in  the  range 
224.0.0.xxx),  the  command  fails.  Because  the  switch  uses  IP  multicast  groups,  there  are  no  address 
aliasing  issues. 

The  IP  multicast  groups  learned  through  IGMP  snooping  are  dynamic.  However,  you  can  statically 
configure  multicast  groups  by  using  the  ip  igmp  snooping  vlan  vlan-id  static  ip_address  interface 
interface-id  global  configuration  command.  If  you  specify  group  membership  for  a  multicast  group 
address  statically,  your  setting  supersedes  any  automatic  manipulation  by  IGMP  snooping.  Multicast 
group  membership  lists  can  consist  of  both  user-defined  and  IGMP  snooping-learned  settings. 

You  can  configure  an  IGMP  snooping  querier  to  support  IGMP  snooping  in  subnets  without  multicast 
interfaces  because  the  multicast  traffic  does  not  need  to  be  routed.  For  more  information  about  the  IGMP 
snooping  querier,  see  the  "Configuring  the  IGMP  Snooping  Querier"  section  on  page  17-13. 

If  a  port  spanning-tree,  a  port  group,  or  a  VLAN  ID  change  occurs,  the  IGMP  snooping-learned  multicast 
groups  from  this  port  on  the  VLAN  are  deleted. 

These  sections  describe  IGMP  snooping  characteristics: 

•  IGMP  Versions,  page  17-2 

•  Joining  a  Multicast  Group,  page  17-3 

•  Leaving  a  Multicast  Group,  page  17-5 

•  Immediate  Leave,  page  17-5 

•  IGMP  Configurable-Leave  Timer,  page  17-5 

•  IGMP  Report  Suppression,  page  17-6 

IGMP  Versions 

The  switch  supports  IGMP  Version  1,  IGMP  Version  2,  and  IGMP  Version  3.  These  versions  are 
interoperable  on  the  switch.  For  example,  if  IGMP  snooping  is  enabled  on  an  IGMPv2  switch  and  the 
switch  receives  an  IGMPv3  report  from  a  host,  the  switch  can  forward  the  IGMPv3  report  to  the 
multicast  router. 

%   

Note      The  switch  supports  IGMPv3  snooping  based  only  on  the  destination  multicast  MAC  address.  It  does  not 
support  snooping  based  on  the  source  MAC  address  or  on  proxy  reports. 


An  IGMPv3  switch  supports  Basic  IGMPv3  Snooping  Support  (BISS),  which  includes  support  for  the 
snooping  features  on  IGMPvl  and  IGMPv2  switches  and  for  IGMPv3  membership  report  messages. 
BISS  constrains  the  flooding  of  multicast  traffic  when  your  network  includes  IGMPv3  hosts.  It 
constrains  traffic  to  approximately  the  same  set  of  ports  as  the  IGMP  snooping  feature  on  IGMPv2  or 
IGMPvl  hosts. 
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Note      IGMPv3  join  and  leave  messages  are  not  supported  on  switches  running  IGMP  filtering  or  MVR. 


An  IGMPv3  switch  can  receive  messages  from  and  forward  messages  to  a  device  running  the  Source 
Specific  Multicast  (SSM)  feature.  For  more  information  about  source-specific  multicast  with  IGMPv3 
and  IGMP,  see  the  following  URL: 

http://www.cisco.com/univercd/cc/td/doc/product/software/iosl21/121newft/121t/121t5/dtssm5t.htm 


Joining  a  Multicast  Group 


When  a  blade  server  connected  to  the  switch  wants  to  join  an  IP  multicast  group  and  it  is  an  IGMP 
Version  2  client,  it  sends  an  unsolicited  IGMP  join  message,  specifying  the  IP  multicast  group  to  join. 
Alternatively,  when  the  switch  receives  a  general  query  from  the  router,  it  forwards  the  query  to  all  ports 
in  the  VLAN.  IGMP  Version  1  or  Version  2  blade  servers  wanting  to  join  the  multicast  group  respond 
by  sending  a  join  message  to  the  switch.  The  switch  CPU  creates  a  multicast  forwarding-table  entry  for 
the  group  if  it  is  not  already  present.  The  CPU  also  adds  the  interface  where  the  join  message  was 
received  to  the  forwarding-table  entry.  The  blade  server  associated  with  that  interface  receives  multicast 
traffic  for  that  multicast  group.  See  Figure  17-1. 


Figure  17-1 
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Router  A  sends  a  general  query  to  the  switch,  which  forwards  the  query  to  ports  2  through  5,  which  are 
all  members  of  the  same  VLAN.  Blade  Server  1  wants  to  join  multicast  group  224.1.2.3  and  multicasts 
an  IGMP  membership  report  (IGMP  join  message)  to  the  group.  The  switch  CPU  uses  the  information 
in  the  IGMP  report  to  set  up  a  forwarding-table  entry,  as  shown  in  Table  17-1,  that  includes  the  port 
numbers  of  Blade  Server  1  and  the  router. 


Table  17-1         IGMP  Snooping  Forwarding  Table 


Destination  Address 

Type  of  Packet 

Ports 

224.1.2.3 

IGMP 

1,  2 

The  switch  hardware  can  distinguish  IGMP  information  packets  from  other  packets  for  the  multicast 
group.  The  information  in  the  table  tells  the  switching  engine  to  send  frames  addressed  to  the  224.1.2.3 
multicast  IP  address  that  are  not  IGMP  packets  to  the  router  and  to  the  host  that  has  joined  the  group. 

If  another  blade  server  (for  example,  Blade  Server  4)  sends  an  unsolicited  IGMP  join  message  for  the 
same  group  (Figure  17-2),  the  CPU  receives  that  message  and  adds  the  port  number  of  Blade  Server  4  to 
the  forwarding  table  as  shown  in  Table  17-2.  Note  that  because  the  forwarding  table  directs  IGMP 
messages  only  to  the  CPU,  the  message  is  not  flooded  to  other  ports  on  the  switch.  Any  known  multicast 
traffic  is  forwarded  to  the  group  and  not  to  the  CPU. 


Figure  17-2        Second  Host  Joining  a  Multicast  Group 
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Table  17-2         Updated  IGMP  Snooping  Forwarding  Table 


Destination  Address 

Type  of  Packet 

Ports 

224.1.2.3 

IGMP 

1,  2,  5 
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Leaving  a  Multicast  Group 

The  router  sends  periodic  multicast  general  queries,  and  the  switch  forwards  these  queries  through  all 
ports  in  the  VLAN.  Interested  blade  servers  respond  to  the  queries.  If  at  least  one  blade  server  in  the 
VLAN  wishes  to  receive  multicast  traffic,  the  router  continues  forwarding  the  multicast  traffic  to  the 
VLAN.  The  switch  forwards  multicast  group  traffic  only  to  those  blade  servers  listed  in  the  forwarding 
table  for  that  IP  multicast  group  maintained  by  IGMP  snooping. 

When  blade  servers  want  to  leave  a  multicast  group,  they  can  silently  leave,  or  they  can  send  a  leave 
message.  When  the  switch  receives  a  leave  message  from  a  blade  server,  it  sends  a  group-specific  query 
to  learn  if  any  other  devices  connected  to  that  interface  are  interested  in  traffic  for  the  specific  multicast 
group.  The  switch  then  updates  the  forwarding  table  for  that  MAC  group  so  that  only  those  blade  servers 
interested  in  receiving  multicast  traffic  for  the  group  are  listed  in  the  forwarding  table.  If  the  router 
receives  no  reports  from  a  VLAN,  it  removes  the  group  for  the  VLAN  from  its  IGMP  cache. 

Immediate  Leave 

Immediate  Leave  is  only  supported  on  IGMP  Version  2  hosts. 

The  switch  uses  IGMP  snooping  Immediate  Leave  to  remove  from  the  forwarding  table  an  interface  that 
sends  a  leave  message  without  the  switch  sending  group-specific  queries  to  the  interface.  The  VLAN 
interface  is  pruned  from  the  multicast  tree  for  the  multicast  group  specified  in  the  original  leave  message. 
Immediate  Leave  ensures  optimal  bandwidth  management  for  all  blade  servers  on  a  switched  network, 
even  when  multiple  multicast  groups  are  simultaneously  in  use. 


You  should  only  use  the  Immediate  Leave  feature  on  VLANs  where  a  single  blade  server  is  connected 
to  each  port.  If  Immediate  Leave  is  enabled  in  VLANs  where  more  than  one  blade  server  is  connected 
to  a  port,  some  blade  servers  might  inadvertently  be  dropped. 


For  configuration  steps,  see  the  "Enabling  IGMP  Immediate  Leave"  section  on  page  17-10. 

IGMP  Configurable-Leave  Timer 

In  Cisco  IOS  Release  12.2(25)SEA  and  earlier,  the  IGMP  snooping  leave  time  was  fixed  at  5  seconds. 
If  membership  reports  were  not  received  by  the  switch  before  the  query  response  time  of  the  query 
expired,  a  port  was  removed  from  the  multicast  group  membership.  However,  some  applications  require 
a  leave  latency  of  less  than  5  seconds. 

In  Cisco  IOS  Release  12.2(25)SED  and  later,  you  can  configure  the  time  that  the  switch  waits  after 
sending  a  group-specific  query  to  determine  if  hosts  are  still  interested  in  a  specific  multicast  group.  The 
IGMP  leave  response  time  can  be  configured  from  100  to  5000  milliseconds.  The  timer  can  be  set  either 
globally  or  on  a  per- VLAN  basis.  The  VLAN  configuration  of  the  leave  time  overrides  the  global 
configuration. 

For  configuration  steps,  see  the  "Configuring  the  IGMP  Leave  Timer"  section  on  page  17-11. 


N 

Note 
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Note      IGMP  report  suppression  is  supported  only  when  the  multicast  query  has  IGMPvl  and  IGMPv2  reports. 
This  feature  is  not  supported  when  the  query  includes  IGMPv3  reports. 


The  switch  uses  IGMP  report  suppression  to  forward  only  one  IGMP  report  per  multicast  router  query 
to  multicast  devices.  When  IGMP  router  suppression  is  enabled  (the  default),  the  switch  sends  the  first 
IGMP  report  from  all  blade  servers  for  a  group  to  all  the  multicast  routers.  The  switch  does  not  send  the 
remaining  IGMP  reports  for  the  group  to  the  multicast  routers.  This  feature  prevents  duplicate  reports 
from  being  sent  to  the  multicast  devices. 

If  the  multicast  router  query  includes  requests  only  for  IGMPvl  and  IGMPv2  reports,  the  switch 
forwards  only  the  first  IGMPvl  or  IGMPv2  report  from  all  blade  servers  for  a  group  to  all  the  multicast 
routers. 

If  the  multicast  router  query  also  includes  requests  for  IGMPv3  reports,  the  switch  forwards  all  IGMPvl, 
IGMPv2,  and  IGMPv3  reports  for  a  group  to  the  multicast  devices. 

If  you  disable  IGMP  report  suppression,  all  IGMP  reports  are  forwarded  to  the  multicast  routers.  For 
configuration  steps,  see  the  "Disabling  IGMP  Report  Suppression"  section  on  page  17-15. 

Configuring  IGMP  Snooping 

IGMP  snooping  allows  switches  to  examine  IGMP  packets  and  make  forwarding  decisions  based  on  their 
content.  These  sections  contain  this  configuration  information: 

•  Default  IGMP  Snooping  Configuration,  page  17-6 

•  Enabling  or  Disabling  IGMP  Snooping,  page  17-7 

•  Setting  the  Snooping  Method,  page  17-8 

•  Configuring  a  Multicast  Router  Port,  page  17-9 

•  Configuring  a  Blade  Server  Statically  to  Join  a  Group,  page  17-9 

•  Enabling  IGMP  Immediate  Leave,  page  17-10 

•  Configuring  the  IGMP  Leave  Timer,  page  17-11 

•  Configuring  TCN-Related  Commands,  page  17-11 

•  Configuring  the  IGMP  Snooping  Querier,  page  17-13 

•  Disabling  IGMP  Report  Suppression,  page  17-15 

Default  IGMP  Snooping  Configuration 


Table  17-3  shows  the  default  IGMP  snooping  configuration. 
Table  17-3         Default  IGMP  Snooping  Configuration 


Feature 

Default  Setting 

IGMP  snooping 

Enabled  globally  and  per  VLAN 

Multicast  routers 

None  configured 
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Table  17-3         Default  IGMP  Snooping  Configuration  (continued) 


Feature 

Default  Setting 

Multicast  router  learning  (snooping)  method 

PIM-DVMRP 

IGMP  snooping  Immediate  Leave 

Disabled 

Static  groups 

None  configured 

TCN1  flood  query  count 

2 

TCN  query  solicitation 

Disabled 

IGMP  snooping  querier 

Disabled 

IGMP  report  suppression 

Enabled 

1.    TCN  =  Topology  Change  Notification 


Enabling  or  Disabling  IGMP  Snooping 

By  default,  IGMP  snooping  is  globally  enabled  on  the  switch.  When  globally  enabled  or  disabled,  it  is 
also  enabled  or  disabled  in  all  existing  VLAN  interfaces.  IGMP  snooping  is  by  default  enabled  on  all 
VLANs,  but  can  be  enabled  and  disabled  on  a  per- VLAN  basis. 

Global  IGMP  snooping  overrides  the  VLAN  IGMP  snooping.  If  global  snooping  is  disabled,  you  cannot 
enable  VLAN  snooping.  If  global  snooping  is  enabled,  you  can  enable  or  disable  VLAN  snooping. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  globally  enable  IGMP  snooping  on  the 
switch: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

ip  igmp  snooping 

Globally  enable  IGMP  snooping  in  all  existing  VLAN  interfaces. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 

Step  4 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  globally  disable  IGMP  snooping  on  all  VLAN  interfaces,  use  the  no  ip  igmp  snooping  global 
configuration  command. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  IGMP  snooping  on  a  VLAN  interface: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

ip  igmp  snooping  vlan  vlan-id 

Enable  IGMP  snooping  on  the  VLAN  interface. The  VLAN  ID  range 
is  1  to  1001  and  1006  to  4094. 

Note     IGMP  snooping  must  be  globally  enabled  before  you  can 
enable  VLAN  snooping. 
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Command 

Purpose 

Step  3 

end 

Return  to  privileged  EXEC  mode. 

Step  4 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  IGMP  snooping  on  a  VLAN  interface,  use  the  no  ip  igmp  snooping  vlan  vlan-id  global 
configuration  command  for  the  specified  VLAN  number. 


Setting  the  Snooping  Method 

Multicast-capable  router  ports  are  added  to  the  forwarding  table  for  every  Layer  2  multicast  entry.  The 
switch  learns  of  such  ports  through  one  of  these  methods: 

•  Snooping  on  IGMP  queries,  Protocol  Independent  Multicast  (PIM)  packets,  and  Distance  Vector 
Multicast  Routing  Protocol  (DVMRP)  packets 

•  Listening  to  Cisco  Group  Management  Protocol  (CGMP)  packets  from  other  routers 

•  Statically  connecting  to  a  multicast  router  port  with  the  ip  igmp  snooping  mrouter  global 
configuration  command 

You  can  configure  the  switch  either  to  snoop  on  IGMP  queries  and  PIM/DVMRP  packets  or  to  listen  to 
CGMP  self-join  or  proxy-join  packets.  By  default,  the  switch  snoops  on  PIM/DVMRP  packets  on  all 
VLANs.  To  learn  of  multicast  router  ports  through  only  CGMP  packets,  use  the  ip  igmp  snooping  vlan 
vlan-id  mrouter  learn  cgmp  global  configuration  command.  When  this  command  is  entered,  the  router 
listens  to  only  CGMP  self-join  and  CGMP  proxy-join  packets  and  to  no  other  CGMP  packets.  To  learn 
of  multicast  router  ports  through  only  PIM-DVMRP  packets,  use  the  ip  igmp  snooping  vlan  vlan-id 
mrouter  learn  pim-dvmrp  global  configuration  command. 

X   

Note      If  you  want  to  use  CGMP  as  the  learning  method  and  no  multicast  routers  in  the  VLAN  are  CGMP 
proxy-enabled,  you  must  enter  the  ip  cgmp  router-only  command  to  dynamically  access  the  router. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  alter  the  method  in  which  a  VLAN  interface 
dynamically  accesses  a  multicast  router: 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  igmp  snooping  vlan  vlan-id  mrouter 
learn  {cgmp  1  pim-dvmrp} 

Enable  IGMP  snooping  on  a  VLAN.  The  VLAN  ID  range  is  1  to  1001 
and  1006  to  4094. 

Specify  the  multicast  router  learning  method: 

•  cgmp — Listen  for  CGMP  packets.  This  method  is  useful  for 
reducing  control  traffic. 

•  pim-dvmrp — Snoop  on  IGMP  queries  and  PIM-DVMRP  packets. 
This  is  the  default. 

end 

Return  to  privileged  EXEC  mode. 

show  ip  igmp  snooping 

Verify  the  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  return  to  the  default  learning  method,  use  the  no  ip  igmp  snooping  vlan  vlan-id  mrouter  learn  cgmp 
global  configuration  command. 

This  example  shows  how  to  configure  IGMP  snooping  to  use  CGMP  packets  as  the  learning  method: 

Switch*  configure  terminal 

Switch (config) #  ip  igmp  snooping  vlan  1  mrouter  learn  cgmp 

Switch (config) #  end 


Configuring  a  Multicast  Router  Port 

To  add  a  multicast  router  port  (add  a  static  connection  to  a  multicast  router),  use  the  ip  igmp  snooping 
vlan  mrouter  global  configuration  command  on  the  switch. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  a  static  connection  to  a  multicast 
router: 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  igmp  snooping  vlan  vlan-id  mrouter 
interface  interface-id 

Specify  the  multicast  router  VLAN  ID  and  the  interface  to  the 
multicast  router. 

•  The  VLAN  ID  range  is  1  to  1001  and  1006  to  4094. 

•  The  interface  can  be  a  physical  interface  or  a  port  channel. 
The  port-channel  range  is  1  to  48. 

end 

Return  to  privileged  EXEC  mode. 

show  ip  igmp  snooping  mrouter  [vlan  vlan-id] 

Verify  that  IGMP  snooping  is  enabled  on  the  VLAN  interface. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  a  multicast  router  port  from  the  VLAN,  use  the  no  ip  igmp  snooping  vlan  vlan-id  mrouter 
interface  interface-id  global  configuration  command. 

This  example  shows  how  to  enable  a  static  connection  to  a  multicast  router: 

Switch*  configure  terminal 

Switch (config) #  ip  igmp  snooping  vlan  200  mrouter  interface  gigabitethernetO/2 

Switch (config) #  end 


Configuring  a  Blade  Server  Statically  to  Join  a  Group 

Blade  servers  that  are  connected  to  Layer  2  ports  normally  join  multicast  groups  dynamically.  You  can 
also  statically  configure  a  Layer  2  port,  to  which  a  blade  server  is  connected,  so  that  the  port  joins  a 
multicast  group. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  add  a  Layer  2  port  as  a  member  of  a  multicast 
group: 


Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  igmp  snooping  vlan  vlan-id  static  ip_address 
interface  interface-id 

Statically  configure  a  Layer  2  port  as  a  member  of  a  multicast 
group: 

•  vlan-id  is  the  multicast  group  VLAN  ID.  The  range  is  1  to 
1001  and  1006  to  4094. 

•  ip-address  is  the  group  IP  address. 

•  interface-id  is  the  member  port.  It  can  be  a  physical 
interface  or  a  port  channel  (1  to  48). 

end 

Return  to  privileged  EXEC  mode. 

show  ip  igmp  snooping  groups 

Verify  the  member  port  and  the  IP  address. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  the  Layer  2  port  from  the  multicast  group,  use  the  no  ip  igmp  snooping  vlan  vlan-id  static 
mac-address  interface  interface-id  global  configuration  command. 

This  example  shows  how  to  statically  configure  a  blade  server  on  a  port: 

Switch*  configure  terminal 

Switch (config) #  ip  igmp  snooping  vlan  105  static  224.2.4.12  interface  gigabitethernetO/1 

Switch (config) #  end 


Enabling  IGMP  Immediate  Leave 

When  you  enable  IGMP  Immediate  Leave,  the  switch  immediately  removes  a  port  when  it  detects  an 
IGMP  Version  2  leave  message  on  that  port.  You  should  only  use  the  Immediate-Leave  feature  when 
there  is  a  single  receiver  present  on  every  port  in  the  VLAN. 

%   

Note      Immediate  Leave  is  supported  only  on  IGMP  Version  2  blade  servers. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  IGMP  Immediate  Leave: 


Step  1 
Step  2 

Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  igmp  snooping  vlan  vlan-id 
immediate-leave 

Enable  IGMP  Immediate  Leave  on  the  VLAN  interface. 

end 

Return  to  privileged  EXEC  mode. 

show  ip  igmp  snooping  vlan  vlan-id 

Verify  that  Immediate  Leave  is  enabled  on  the  VLAN  interface. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  disable  IGMP  Immediate  Leave  on  a  VLAN,  use  the  no  ip  igmp  snooping  vlan  vlan-id 
immediate-leave  global  configuration  command. 

This  example  shows  how  to  enable  IGMP  Immediate  Leave  on  VLAN  130: 

Switch#  configure  terminal 

Switch (config) #  ip  igmp  snooping  vlan  130  immediate-leave 

Switch (config) #  end 


Configuring  the  IGMP  Leave  Timer 

Follows  these  guidelines  when  configuring  the  IGMP  leave  timer: 

•  You  can  configure  the  leave  time  globally  or  on  a  per- VLAN  basis. 

•  Configuring  the  leave  time  on  a  VLAN  overrides  the  global  setting. 

•  The  default  leave  time  is  1000  milliseconds. 

•  The  IGMP  configurable  leave  time  is  only  supported  on  hosts  running  IGMP  Version  2. 

•  The  actual  leave  latency  in  the  network  is  usually  the  configured  leave  time.  However,  the  leave  time 
might  vary  around  the  configured  time,  depending  on  real-time  CPU  load  conditions,  network  delays 
and  the  amount  of  traffic  sent  through  the  interface. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  the  IGMP  configurable-leave  timer: 


Step  1 
Step  2 

Step  3 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  igmp  snooping 
last-member-query-interval  time 

Configure  the  IGMP  leave  timer  globally.  The  range  is  100  to  5000 
milliseconds.  The  default  is  1000  seconds. 

ip  igmp  snooping  vlan  vlan-id 
last-member-query-interval  time 

(Optional)  Configure  the  IGMP  leave  time  on  the  VLAN  interface.  The 
range  is  100  to  5000  milliseconds. 

Note     Configuring  the  leave  time  on  a  VLAN  overrides  the  globally 
configured  timer. 

end 

Return  to  privileged  EXEC  mode. 

show  ip  igmp  snooping 

(Optional)  Display  the  configured  IGMP  leave  time. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  globally  reset  the  IGMP  leave  timer  to  the  default  setting,  use  the  no  ip  igmp  snooping 
last-member-query-interval  global  configuration  command. 

To  remove  the  configured  IGMP  leave-time  setting  from  the  specified  VLAN,  use  the  no  ip  igmp 
snooping  vlan  vlan-id  last-member-query-interval  global  configuration  command. 


Configuring  TCN-Related  Commands 

These  sections  describe  how  to  control  flooded  multicast  traffic  during  a  TCN  event: 

•  Controlling  the  Multicast  Flooding  Time  After  a  TCN  Event,  page  17-12 

•  Recovering  from  Flood  Mode,  page  17-12 

•  Disabling  Multicast  Flooding  During  a  TCN  Event,  page  17-13 
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Controlling  the  Multicast  Flooding  Time  After  a  TCN  Event 

You  can  control  the  time  that  multicast  traffic  is  flooded  after  a  TCN  event  by  using  the  ip  igmp 
snooping  ten  flood  query  count  global  configuration  command.  This  command  configures  the  number 
of  general  queries  for  which  multicast  data  traffic  is  flooded  after  a  TCN  event.  Some  examples  of  TCN 
events  are  when  the  client  changed  its  location  and  the  receiver  is  on  same  port  that  was  blocked  but  is 
now  forwarding,  and  when  a  port  went  down  without  sending  a  leave  message. 

If  you  set  the  TCN  flood  query  count  to  1  by  using  the  ip  igmp  snooping  ten  flood  query  count 

command,  the  flooding  stops  after  receiving  1  general  query.  If  you  set  the  count  to  7,  the  flooding  until 
7  general  queries  are  received.  Groups  are  relearned  based  on  the  general  queries  received  during  the 
TCN  event. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  TCN  flood  query  count: 


Step  1 
Step  2 

Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  igmp  snooping  ten  flood  query  count 

count 

Specify  the  number  of  IGMP  general  queries  for  which  the  multicast 
traffic  is  flooded.  The  range  is  1  to  10.  By  default,  the  flooding  query 
count  is  2. 

end 

Return  to  privileged  EXEC  mode. 

show  ip  igmp  snooping 

Verify  the  TCN  settings. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  flooding  query  count,  use  the  no  ip  igmp  snooping  ten  flood  query  count  global 
configuration  command. 


Recovering  from  Flood  Mode 

When  a  topology  change  occurs,  the  spanning-tree  root  sends  a  special  IGMP  leave  message  (also  known 
as  global  leave)  with  the  group  multicast  address  0.0.0.0.  However,  when  you  enable  the  ip  igmp 
snooping  ten  query  solicit  global  configuration  command,  the  switch  sends  the  global  leave  message 
whether  or  not  it  is  the  spanning-tree  root.  When  the  router  receives  this  special  leave,  it  immediately 
sends  general  queries,  which  expedite  the  process  of  recovering  from  the  flood  mode  during  the  TCN 
event.  Leaves  are  always  sent  if  the  switch  is  the  spanning-tree  root  regardless  of  this  configuration 
command.  By  default,  query  solicitation  is  disabled. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  the  switch  to  send  the  global  leave 
message  whether  or  not  it  is  the  spanning-tree  root: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

ip  igmp  snooping  ten  query  solicit 

Send  an  IGMP  leave  message  (global  leave)  to  speed  the  process  of 
recovering  from  the  flood  mode  caused  during  a  TCN  event.  By 
default,  query  solicitation  is  disabled. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 
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Command 

Purpose 

Step  4 

show  ip  igmp  snooping 

Verify  the  TCN  settings. 

Step  5 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  query  solicitation,  use  the  no  ip  igmp  snooping  ten  query  solicit  global 
configuration  command. 


Disabling  Multicast  Flooding  During  a  TCN  Event 


When  the  switch  receives  a  TCN,  multicast  traffic  is  flooded  to  all  the  ports  until  2  general  queries  are 
received.  If  the  switch  has  many  ports  with  attached  hosts  that  are  subscribed  to  different  multicast 
groups,  this  flooding  might  exceed  the  capacity  of  the  link  and  cause  packet  loss.  You  can  use  the  ip 
igmp  snooping  ten  flood  interface  configuration  command  to  control  this  behavior. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  multicast  flooding  on  an  interface: 


Step  1 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  to  be  configured,  and  enter  interface 
configuration  mode. 

no  ip  igmp  snooping  ten  flood 

Disable  the  flooding  of  multicast  traffic  during  a  spanning-tree  TCN 
event. 

By  default,  multicast  flooding  is  enabled  on  an  interface. 

exit 

Return  to  privileged  EXEC  mode. 

show  ip  igmp  snooping 

Verify  the  TCN  settings. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  re-enable  multicast  flooding  on  an  interface,  use  the  ip  igmp  snooping  ten  flood  interface 
configuration  command. 


Configuring  the  IGMP  Snooping  Querier 

Follow  these  guidelines  when  configuring  the  IGMP  snooping  querier: 

•  Configure  the  VLAN  in  global  configuration  mode. 

•  Confi  gure  an  IP  address  on  the  VLAN  interface.  When  enabled,  the  IGMP  snooping  querier  uses  the 
IP  address  as  the  query  source  address. 

•  If  there  is  no  IP  address  configured  on  the  VLAN  interface,  the  IGMP  snooping  querier  tries  to  use 
the  configured  global  IP  address  for  the  IGMP  querier.  If  there  is  no  global  IP  address  specified,  the 
IGMP  querier  tries  to  use  the  VLAN  switch  virtual  interface  (SVI)  IP  address  (if  one  exists).  If  there 
is  no  SVI  IP  address,  the  switch  uses  the  first  available  IP  address  configured  on  the  switch.  The  first 
IP  address  available  appears  in  the  output  of  the  show  ip  interface  privileged  EXEC  command.  The 
IGMP  snooping  querier  does  not  generate  an  IGMP  general  query  if  it  cannot  find  an  available  IP 
address  on  the  switch. 

•  The  IGMP  snooping  querier  supports  IGMP  Versions  1  and  2. 
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•  When  administratively  enabled,  the  IGMP  snooping  querier  moves  to  the  nonquerier  state  if  it 
detects  the  presence  of  a  multicast  router  in  the  network. 

•  When  it  is  administratively  enabled,  the  IGMP  snooping  querier  moves  to  the  operationally  disabled 
state  under  these  conditions: 

-  IGMP  snooping  is  disabled  in  the  VLAN. 

-  PIM  is  enabled  on  the  SVI  of  the  corresponding  VLAN. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  the  IGMP  snooping  querier  feature  in 
a  VLAN: 


Step  1 
Step  2 
Step  3 


Step  4 
Step  5 

Step  6 

Step  7 

Step  8 
Step  9 

Step  10 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  igmp  snooping  querier 

Enable  the  IGMP  snooping  querier. 

ip  igmp  snooping  querier  address 

ip_address 

(Optional)  Specify  an  IP  address  for  the  IGMP  snooping  querier.  If 
you  do  not  specify  an  IP  address,  the  querier  tries  to  use  the  global  IP 
address  configured  for  the  IGMP  querier. 

Note     The  IGMP  snooping  querier  does  not  generate  an  IGMP 

general  query  if  it  cannot  find  an  IP  address  on  the  switch. 

ip  igmp  snooping  querier  query-interval 

interval-count 

(Optional)  Set  the  interval  between  IGMP  queriers.  The  range  is  1  to 
18000  seconds. 

ip  igmp  snooping  querier  ten  query  [count 
count  I  interval  interval] 

(Optional)  Set  the  time  between  Topology  Change  Notification 
(TCN)  queries.  The  count  range  is  1  to  10.  The  interval  range  is  1  to 
255  seconds. 

ip  igmp  snooping  querier  timer  expiry 

timeout 

(Optional)  Set  the  length  of  time  until  the  IGMP  querier  expires. The 
range  is  60  to  300  seconds. 

ip  igmp  snooping  querier  version  version 

(Optional)  Select  the  IGMP  version  number  that  the  querier  feature 
uses.  Select  1  or  2. 

end 

Return  to  privileged  EXEC  mode. 

show  ip  igmp  snooping  vlan  vlan-id 

(Optional)  Verify  that  the  IGMP  snooping  querier  is  enabled  on  the 
VLAN  interface.  The  VLAN  ID  range  is  1  to  1001  and  1006  to  4094. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

This  example  shows  how  to  set  the  IGMP  snooping  querier  source  address  to  10.0.0.64: 

Switch*  configure  terminal 

Switch (config) #  ip  igmp  snooping  querier  10.0.0.64 

Switch (config) #  end 


This  example  shows  how  to  set  the  IGMP  snooping  querier  maximum  response  time  to  25  seconds: 

Switch*  configure  terminal 

Switch (config) #  ip  igmp  snooping  querier  query- interval  25 

Switch (config) #  end 

This  example  shows  how  to  set  the  IGMP  snooping  querier  timeout  to  60  seconds: 

Switch*  configure  terminal 

Switch (config) #  ip  igmp  snooping  querier  timeout  enpiry  60 

Switch (config) #  end 
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This  example  shows  how  to  set  the  IGMP  snooping  querier  feature  to  version  2: 

Switch*  configure  terminal 

Switch (config) #  no  ip  igmp  snooping  querier  version  2 

Switch (config) #  end 


Disabling  IGMP  Report  Suppression 

^.   

Note      IGMP  report  suppression  is  supported  only  when  the  multicast  query  has  IGMPvl  and  IGMPv2  reports. 
This  feature  is  not  supported  when  the  query  includes  IGMPv3  reports. 


IGMP  report  suppression  is  enabled  by  default.  When  it  is  enabled,  the  switch  forwards  only  one  IGMP 
report  per  multicast  router  query.  When  report  suppression  is  disabled,  all  IGMP  reports  are  forwarded 
to  the  multicast  routers. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  IGMP  report  suppression: 


Command 
Step  1      configure  terminal 
Step  2     no  ip  igmp  snooping  report-suppression 
Step  3  end 

Step  4     show  ip  igmp  snooping 

Step  5     copy  running-config  startup-config 


Purpose 

Enter  global  configuration  mode. 

Disable  IGMP  report  suppression. 

Return  to  privileged  EXEC  mode. 

Verify  that  IGMP  report  suppression  is  disabled. 

(Optional)  Save  your  entries  in  the  configuration  file. 


To  re-enable  IGMP  report  suppression,  use  the  ip  igmp  snooping  report-suppression  global 
configuration  command. 


Displaying  IGMP  Snooping  Information 

You  can  display  IGMP  snooping  information  for  dynamically  learned  and  statically  configured  router 
ports  and  VLAN  interfaces.  You  can  also  display  MAC  address  multicast  entries  for  a  VLAN  configured 
for  IGMP  snooping. 
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To  display  IGMP  snooping  information,  use  one  or  more  of  the  privileged  EXEC  commands  in 
Table  17-4. 


Table  17-4  Commands  for  Displaying  IGMP  Snooping  Information 


Command 

Purpose 

show  ip  igmp  snooping  [vlan  vlan-id] 

Display  the  snooping  configuration  information  for  all  VLANs  on  the 
switch  or  for  a  specified  VLAN. 

(Optional)  Enter  vlan  vlan-id  to  display  information  for  a  single  VLAN. 
The  VLAN  ID  range  is  1  to  1001  and  1006  to  4094. 

show  ip  igmp  snooping  groups  [count  Idynamic 
[count]  1  user  [count]] 

Display  multicast  table  information  for  the  switch  or  about  a  specific 
parameter: 

•  count — Display  the  total  number  of  entries  for  the  specified 
command  options  instead  of  the  actual  entries. 

•  dynamic — Display  entries  learned  through  IGMP  snooping. 

•  user — Display  only  the  user-configured  multicast  entries. 

show  ip  igmp  snooping  groups  vlan  vlan-id 
[ip_address  1  count  1  dynamic  [count]  1 
user  [count]] 

Display  multicast  table  information  for  a  multicast  VLAN  or  about  a 
specific  parameter  for  the  VLAN: 

•  vlan-id—  The  VLAN  ID  range  is  1  to  1001  and  1006  to  4094. 

•  count — Display  the  total  number  of  entries  for  the  specified 
command  options  instead  of  the  actual  entries. 

•  dynamic — Display  entries  learned  through  IGMP  snooping. 

•  ip_address — Display  characteristics  of  the  multicast  group  with  the 
specified  group  IP  address. 

•  user — Display  only  the  user-configured  multicast  entries. 

show  ip  igmp  snooping  mrouter  [vlan  vlan-id] 

Display  information  on  dynamically  learned  and  manually  configured 
multicast  router  interfaces. 

Note     When  you  enable  IGMP  snooping,  the  switch  automatically 
learns  the  interface  to  which  a  multicast  router  is  connected. 
These  are  dynamically  learned  interfaces. 

(Optional)  Enter  vlan  vlan-id  to  display  information  for  a  single  VLAN. 

show  ip  igmp  snooping  querier  [vlan  vlan-id] 

Display  information  about  the  IP  address  and  receiving  port  for  the 
most-recently  received  IGMP  query  messages  in  the  VLAN. 

(Optional)  Enter  vlan  vlan-id  to  display  information  for  a  single  VLAN. 

show  ip  igmp  snooping  querier  [vlan  vlan-id] 
detail 

Display  information  about  the  IP  address  and  receiving  port  of  the 
most-recently  received  IGMP  query  message  in  the  VLAN  and  the 
configuration  and  operational  state  of  the  IGMP  snooping  querier  in  the 
VLAN. 

For  more  information  about  the  keywords  and  options  in  these  commands,  see  the  command  reference 
for  this  release. 
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Understanding  Multicast  VLAN  Registration 

Multicast  VLAN  Registration  (MVR)  is  designed  for  applications  using  wide-scale  deployment  of 
multicast  traffic  across  an  Ethernet  ring-based  service-provider  network  (for  example,  the  broadcast  of 
multiple  television  channels  over  a  service-provider  network).  MVR  allows  a  subscriber  on  a  port  to 
subscribe  and  unsubscribe  to  a  multicast  stream  on  the  network-wide  multicast  VLAN.  It  allows  the 
single  multicast  VLAN  to  be  shared  in  the  network  while  subscribers  remain  in  separate  VLANs.  MVR 
provides  the  ability  to  continuously  send  multicast  streams  in  the  multicast  VLAN,  but  to  isolate  the 
streams  from  the  subscriber  VLANs  for  bandwidth  and  security  reasons. 

MVR  assumes  that  subscriber  ports  subscribe  and  unsubscribe  (join  and  leave)  these  multicast  streams 
by  sending  out  IGMP  join  and  leave  messages.  These  messages  can  originate  from  an  IGMP 
Version-2-compatible  blade  server  with  an  Ethernet  connection.  Although  MVR  operates  on  the 
underlying  mechanism  of  IGMP  snooping,  the  two  features  operate  independently  of  each  other.  One 
can  be  enabled  or  disabled  without  affecting  the  behavior  of  the  other  feature.  However,  if  IGMP 
snooping  and  MVR  are  both  enabled,  MVR  reacts  only  to  join  and  leave  messages  from  multicast  groups 
configured  under  MVR.  Join  and  leave  messages  from  all  other  multicast  groups  are  managed  by  IGMP 
snooping. 

The  switch  CPU  identifies  the  MVR  IP  multicast  streams  and  their  associated  IP  multicast  group  in  the 
switch  forwarding  table,  intercepts  the  IGMP  messages,  and  modifies  the  forwarding  table  to  include  or 
remove  the  subscriber  as  a  receiver  of  the  multicast  stream,  even  though  the  receivers  might  be  in  a 
different  VLAN  from  the  source.  This  forwarding  behavior  selectively  allows  traffic  to  cross  between 
different  VLANs. 

You  can  set  the  switch  for  compatible  or  dynamic  mode  of  MVR  operation: 

•  In  compatible  mode,  multicast  data  received  by  MVR  hosts  is  forwarded  to  all  MVR  data  ports, 
regardless  of  MVR  host  membership  on  those  ports.  The  multicast  data  is  forwarded  only  to  those 
receiver  ports  that  MVR  hosts  have  joined,  either  by  IGMP  reports  or  by  MVR  static  configuration. 
IGMP  reports  received  from  MVR  hosts  are  never  forwarded  from  MVR  data  ports  that  were 
configured  in  the  blade  server. 

•  In  dynamic  mode,  multicast  data  received  by  MVR  hosts  on  the  switch  is  forwarded  from  only  those 
MVR  data  and  client  ports  that  the  MVR  hosts  have  joined,  either  by  IGMP  reports  or  by  MVR  static 
configuration.  Any  IGMP  reports  received  from  MVR  hosts  are  also  forwarded  from  all  the  MVR 
data  ports  in  the  blade  server.  This  eliminates  using  unnecessary  bandwidth  on  MVR  data  port  links, 
which  occurs  when  the  blade  server  runs  in  compatible  mode. 

Only  Layer  2  ports  take  part  in  MVR.  You  must  configure  ports  as  MVR  receiver  ports.  Only  one  MVR 
multicast  VLAN  per  switch  is  supported. 
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Using  MVR  in  a  Multicast  Television  Application 

In  a  multicast  television  application,  a  PC  or  a  television  with  a  set-top  box  can  receive  the  multicast 
stream.  Multiple  set-top  boxes  or  PCs  can  be  connected  to  one  subscriber  port,  which  is  a  switch  port 
configured  as  an  MVR  receiver  port.  Figure  17-3  is  an  example  configuration.  DHCP  assigns  an  IP 
address  to  the  set-top  box  or  the  PC.  When  a  subscriber  selects  a  channel,  the  set-top  box  or  PC  sends 
an  IGMP  report  to  Switch  A  to  join  the  appropriate  multicast.  If  the  IGMP  report  matches  one  of  the 
configured  IP  multicast  group  addresses,  the  switch  CPU  modifies  the  hardware  address  table  to  include 
this  receiver  port  and  VLAN  as  a  forwarding  destination  of  the  specified  multicast  stream  when  it  is 
received  from  the  multicast  VLAN.  Uplink  ports  that  send  and  receive  multicast  data  to  and  from  the 
multicast  VLAN  are  called  MVR  source  ports. 


Figure  17-3        Multicast  VLAN  Registration  Example 
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When  a  subscriber  changes  channels  or  turns  off  the  television,  the  set-top  box  sends  an  IGMP  leave 
message  for  the  multicast  stream.  The  switch  CPU  sends  a  MAC-based  general  query  through  the 
receiver  port  VLAN.  If  there  is  another  set-top  box  in  the  VLAN  still  subscribing  to  this  group,  that 
set-top  box  must  respond  within  the  maximum  response  time  specified  in  the  query.  If  the  CPU  does  not 
receive  a  response,  it  eliminates  the  receiver  port  as  a  forwarding  destination  for  this  group. 

Without  Immediate  Leave,  when  the  switch  receives  an  IGMP  leave  message  from  a  subscriber  on  a 
receiver  port,  it  sends  out  an  IGMP  query  on  that  port  and  waits  for  IGMP  group  membership  reports.  If 
no  reports  are  received  in  a  configured  time  period,  the  receiver  port  is  removed  from  multicast  group 
membership.  With  Immediate  Leave,  an  IGMP  query  is  not  sent  from  the  receiver  port  on  which  the 
IGMP  leave  was  received.  As  soon  as  the  leave  message  is  received,  the  receiver  port  is  removed  from 
multicast  group  membership,  which  speeds  up  leave  latency.  Enable  the  Immediate-Leave  feature  only 
on  receiver  ports  to  which  a  single  receiver  device  is  connected. 

MVR  eliminates  the  need  to  duplicate  television-channel  multicast  traffic  for  subscribers  in  each  VLAN. 
Multicast  traffic  for  all  channels  is  only  sent  around  the  VLAN  trunk  once — only  on  the  multicast 
VLAN.  The  IGMP  leave  and  join  messages  are  in  the  VLAN  to  which  the  subscriber  port  is  assigned. 
These  messages  dynamically  register  for  streams  of  multicast  traffic  in  the  multicast  VLAN  on  the 
Layer  3  device.  Switch  B.  The  access  layer  switch,  Switch  A,  modifies  the  forwarding  behavior  to  allow 
the  traffic  to  be  forwarded  from  the  multicast  VLAN  to  the  subscriber  port  in  a  different  VLAN, 
selectively  allowing  traffic  to  cross  between  two  VLANs. 

IGMP  reports  are  sent  to  the  same  IP  multicast  group  address  as  the  multicast  data.  The  Switch  A  CPU 
must  capture  all  IGMP  join  and  leave  messages  from  receiver  ports  and  forward  them  to  the  multicast 
VLAN  of  the  source  (uplink)  port,  based  on  the  MVR  mode. 

Configuring  MVR 

These  sections  contain  this  configuration  information: 

•  Default  MVR  Configuration,  page  17-19 

•  MVR  Configuration  Guidelines  and  Limitations,  page  17-20 

•  Configuring  MVR  Global  Parameters,  page  17-20 

•  Configuring  MVR  Interfaces,  page  17-21 

Default  MVR  Configuration 

Table  17-5  shows  the  default  MVR  configuration. 


Table  17-5         Default  MVR  Configuration 


Feature 

Default  Setting 

MVR 

Disabled  globally  and  per  interface 

Multicast  addresses 

None  configured 

Query  response  time 

0.5  second 

Multicast  VLAN 

VLAN  1 

Mode 

Compatible 
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Table  17-5         Default  MVR  Configuration  (continued) 


Feature 

Default  Setting 

Interface  (per  port)  default 

Neither  a  receiver  nor  a  source  port 

Immediate  Leave 

Disabled  on  all  ports 

MVR  Configuration  Guidelines  and  Limitations 

Follow  these  guidelines  when  configuring  MVR: 

•  Receiver  ports  can  only  be  access  ports;  they  cannot  be  trunk  ports.  Receiver  ports  on  a  switch  can 
be  in  different  VLANs,  but  should  not  belong  to  the  multicast  VLAN. 

•  The  maximum  number  of  multicast  entries  (MVR  group  addresses)  that  can  be  configured  on  a 
switch  (that  is,  the  maximum  number  of  television  channels  that  can  be  received)  is  256. 

•  MVR  multicast  data  received  in  the  source  VLAN  and  leaving  from  receiver  ports  has  its 
time-to-live  (TTL)  decremented  by  1  in  the  switch. 

•  Because  MVR  on  the  switch  uses  IP  multicast  addresses  instead  of  MAC  multicast  addresses, 
aliased  IP  multicast  addresses  are  allowed  on  the  switch.  However,  if  the  switch  is  interoperating 
with  Catalyst  3550  or  Catalyst  3500  XL  switches,  you  should  not  configure  IP  addresses  that  alias 
between  themselves  or  with  the  reserved  IP  multicast  addresses  (in  the  range  224.0.0.xxx). 

•  MVR  can  coexist  with  IGMP  snooping  on  a  switch. 

•  MVR  data  received  on  an  MVR  receiver  port  is  not  forwarded  to  MVR  source  ports. 

•  MVR  does  not  support  IGMPv3  messages. 

Configuring  MVR  Global  Parameters 

You  do  not  need  to  set  the  optional  MVR  parameters  if  you  choose  to  use  the  default  settings.  If  you  do 
want  to  change  the  default  parameters  (except  for  the  MVR  VLAN),  you  must  first  enable  MVR. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  command 
reference  for  this  release. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  MVR  parameters: 


Command  Purpose 
Step  1      configure  terminal  Enter  global  configuration  mode. 

Step  2     mvr  Enable  MVR  on  the  switch. 

Step  3     mvr  group  ip-address  [count]  Configure  an  IP  multicast  address  on  the  switch  or  use  the  count  parameter  to 

configure  a  contiguous  series  of  MVR  group  addresses  (the  range  for  count  is 
1  to  256;  the  default  is  1).  Any  multicast  data  sent  to  this  address  is  sent  to  all 
source  ports  on  the  switch  and  all  receiver  ports  that  have  elected  to  receive 
data  on  that  multicast  address.  Each  multicast  address  would  correspond  to 
one  television  channel. 
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Step  7 
Step  8 
Step  9 


Command 

Purpose 

mvr  querytime  value 

(Optional)  Define  the  maximum  time  to  wait  for  IGMP  report  memberships 
on  a  receiver  port  before  removing  the  port  from  multicast  group  membership. 
The  value  is  in  units  of  tenths  of  a  second.  The  range  is  1  to  100,  and  the 
default  is  5  tenths  or  one-half  second. 

mvr  vlan  vlan-id 

(Optional)  Specify  the  VLAN  in  which  multicast  data  is  received;  all  source 
ports  must  belong  to  this  VLAN.  The  VLAN  range  is  1  to  1001  and  1006  to 
4094.  The  default  is  VLAN  1. 

mvr  mode  { dynamic  I  compatible } 

(Optional)  Specify  the  MVR  mode  of  operation: 

•  dynamic — Allows  dynamic  MVR  membership  on  source  ports. 

•  compatible— Is  compatible  with  Catalyst  3500  XL  and  Catalyst  2900  XL 
switches  and  does  not  support  IGMP  dynamic  joins  on  source  ports. 

The  default  is  compatible  mode. 

end 

Return  to  privileged  EXEC  mode. 

show  mvr  or  show  mvr  members 

Verify  the  configuration. 

copy  running-config 
startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  the  switch  to  its  default  settings,  use  the  no  mvr  [mode  I  group  ip-address  I  querytime  I  vlan] 
global  configuration  commands. 

This  example  shows  how  to  enable  MVR,  configure  the  group  address,  set  the  query  time  to  1  second 
(10  tenths),  specify  the  MVR  multicast  VLAN  as  VLAN  22,  and  set  the  MVR  mode  as  dynamic: 

Switch (config) #  mvr 

Switch (config) #  mvr  group  228.1.23.4 
Switch (config) #  mvr  querytime  10 
Switch ( config) #  mvr  vlan  22 
Switch (config) #  mvr  mode  dynamic 

Switch (config) #  end 

You  can  use  the  show  mvr  members  privileged  EXEC  command  to  verify  the  MVR  multicast  group 
addresses  on  the  switch. 


Configuring  MVR  Interfaces 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  Layer  2  MVR  interfaces: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

mvr 

Enable  MVR  on  the  switch. 

Step  3 

interface  interface-id 

Specify  the  Layer  2  port  to  configure,  and  enter  interface  configuration 

mode. 
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Step  5 


Command 

Purpose 

mvr  type  {source  I  receiver} 

Configure  an  MVR  port  as  one  of  these: 

•  source — Configure  uplink  ports  that  receive  and  send  multicast  data  as 
source  ports.  Subscribers  cannot  be  directly  connected  to  source  ports. 
All  source  ports  on  a  switch  belong  to  the  single  multicast  VLAN. 

•  receiver — Configure  a  port  as  a  receiver  port  if  it  is  a  subscriber  port  and 
should  only  receive  multicast  data.  It  does  not  receive  data  unless  it 
becomes  a  member  of  the  multicast  group,  either  statically  or  by  using 
IGMP  leave  and  join  messages.  Receiver  ports  cannot  belong  to  the 
multicast  VLAN. 

The  default  configuration  is  as  a  non-MVR  port.  If  you  attempt  to  configure 
a  non-MVR  port  with  MVR  characteristics,  the  operation  fails. 

mvr  vlan  vlan-id  group  [ip-address] 

(Optional)  Statically  configure  a  port  to  receive  multicast  traffic  sent  to  the 
multicast  VLAN  and  the  IP  multicast  address.  A  port  statically  configured  as 
a  member  of  a  group  remains  a  member  of  the  group  until  statically  removed. 

Note     In  compatible  mode,  this  command  applies  to  only  receiver  ports.  In 
dynamic  mode,  it  applies  to  receiver  ports  and  source  ports. 

Receiver  ports  can  also  dynamically  join  multicast  groups  by  using  IGMP 
join  and  leave  messages. 

mvr  immediate 

(Optional)  Enable  the  Immediate-Leave  feature  of  MVR  on  the  port. 

Note     This  command  applies  to  only  receiver  ports  and  should  only  be 
enabled  on  receiver  ports  to  which  a  single  receiver  device  is 
connected. 

end 

Return  to  privileged  EXEC  mode. 

show  mvr 

show  mvr  interface 

or 

show  mvr  members 

Verify  the  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  6 


Step  7 
Step  8 


Step  9 


To  return  the  interface  to  its  default  settings,  use  the  no  mvr  [type  I  immediate  I  vlan  vlan-id  I  group] 
interface  configuration  commands. 

This  example  shows  how  to  configure  a  port  as  a  receiver  port,  statically  configure  the  port  to  receive 
multicast  traffic  sent  to  the  multicast  group  address,  configure  Immediate  Leave  on  the  port,  and  verify 
the  results. 

Switch (config) #  mvr 

Switch (config) #  interface  gigabitethernetO/2 

Switch (config-if) #  mvr  type  receiver 

Switch (config-if) #  mvr  vlan  22  group  228.1.23.4 

Switch (config-if ) #  mvr  immediate 

Switch (config) #  end 

Switch*  show  mvr  interface 

Port         Type  Status  Immediate  Leave 


GiO/2  RECEIVER 


ACTIVE /DOWN 


ENABLED 
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Displaying  MVR  Information 

You  can  display  MVR  information  for  the  switch  or  for  a  specified  interface.  Beginning  in  privileged 
EXEC  mode,  use  the  commands  in  Table  17-6  to  display  MVR  configuration: 


Table  17-6  Commands  for  Displaying  MVR  Information 


Command 

Purpose 

show  mvr 

Displays  MVR  status  and  values  for  the  switch — whether  MVR  is  enabled  or  disabled, 
the  multicast  VLAN,  the  maximum  (256)  and  current  (0  through  256)  number  of 
multicast  groups,  the  query  response  time,  and  the  MVR  mode. 

show  mvr  interface  [interface-id] 
[members  [vlan  vlan-id]] 

Displays  all  MVR  interfaces  and  their  MVR  configurations. 
When  a  specific  interface  is  entered,  displays  this  information: 

•  Type — Receiver  or  Source 

•  Status — One  of  these: 

-  Active  means  the  port  is  part  of  a  VLAN. 

-  Up/Down  means  that  the  port  is  forwarding  or  nonforwarding. 

-  Inactive  means  that  the  port  is  not  part  of  any  VLAN. 

•  Immediate  Leave — Enabled  or  Disabled 

If  the  members  keyword  is  entered,  displays  all  multicast  group  members  on  this  port  or, 
if  a  VLAN  identification  is  entered,  all  multicast  group  members  on  the  VLAN.  The 
VLAN  ID  range  is  1  to  1001  and  1006  to  4094. 

show  mvr  members  [ip-address] 

Displays  all  receiver  and  source  ports  that  are  members  of  any  IP  multicast  group  or  the 
specified  IP  multicast  group  IP  address. 

Configuring  IGMP  Filtering  and  Throttling 

In  some  environments,  for  example,  metropolitan  or  multiple-dwelling  unit  (MDU)  installations,  you 
might  want  to  control  the  set  of  multicast  groups  to  which  a  user  on  a  switch  port  can  belong.  You  can 
control  the  distribution  of  multicast  services,  such  as  IP/TV,  based  on  some  type  of  subscription  or 
service  plan.  You  might  also  want  to  limit  the  number  of  multicast  groups  to  which  a  user  on  a  switch 
port  can  belong. 

With  the  IGMP  filtering  feature,  you  can  filter  multicast  joins  on  a  per-port  basis  by  configuring  IP 
multicast  profiles  and  associating  them  with  individual  switch  ports.  An  IGMP  profile  can  contain  one 
or  more  multicast  groups  and  specifies  whether  access  to  the  group  is  permitted  or  denied.  If  an  IGMP 
profile  denying  access  to  a  multicast  group  is  applied  to  a  switch  port,  the  IGMP  join  report  requesting 
the  stream  of  IP  multicast  traffic  is  dropped,  and  the  port  is  not  allowed  to  receive  IP  multicast  traffic 
from  that  group.  If  the  filtering  action  permits  access  to  the  multicast  group,  the  IGMP  report  from  the 
port  is  forwarded  for  normal  processing.  You  can  also  set  the  maximum  number  of  IGMP  groups  that  a 
Layer  2  interface  can  join. 

IGMP  filtering  controls  only  group-specific  query  and  membership  reports,  including  join  and  leave 
reports.  It  does  not  control  general  IGMP  queries.  IGMP  filtering  has  no  relationship  with  the  function 
that  directs  the  forwarding  of  IP  multicast  traffic.  The  filtering  feature  operates  in  the  same  manner 
whether  CGMP  or  MVR  is  used  to  forward  the  multicast  traffic. 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


17-23 


H Configuring  IGMP  Filtering  and  Throttling 


Chapter  17     Configuring  IGMP  Snooping  and  MVR  | 


IGMP  filtering  is  applicable  only  to  the  dynamic  learning  of  IP  multicast  group  addresses,  not  static 
configuration. 

With  the  IGMP  throttling  feature,  you  can  set  the  maximum  number  of  IGMP  groups  that  a  Layer  2 
interface  can  join.  If  the  maximum  number  of  IGMP  groups  is  set,  the  IGMP  snooping  forwarding  table 
contains  the  maximum  number  of  entries,  and  the  interface  receives  an  IGMP  join  report,  you  can 
configure  an  interface  to  drop  the  IGMP  report  or  to  replace  the  randomly  selected  multicast  entry  with 
the  received  IGMP  report. 

X   

Note      IGMPv3  join  and  leave  messages  are  not  supported  on  switches  running  IGMP  filtering. 

These  sections  contain  this  configuration  information: 

•  Default  IGMP  Filtering  and  Throttling  Configuration,  page  17-24 

•  Configuring  IGMP  Profiles,  page  17-24  (optional) 

•  Applying  IGMP  Profiles,  page  17-25  (optional) 

•  Setting  the  Maximum  Number  of  IGMP  Groups,  page  17-26  (optional) 

•  Configuring  the  IGMP  Throttling  Action,  page  17-27  (optional) 

Default  IGMP  Filtering  and  Throttling  Configuration 


Table  17-7  shows  the  default  IGMP  filtering  configuration. 
Table  17-7         Default  IGMP  Filtering  Configuration 


Feature 

Default  Setting 

IGMP  filters 

None  applied 

IGMP  maximum  number  of  IGMP  groups 

No  maximum  set 

IGMP  profiles 

None  defined 

IGMP  profile  action 

Deny  the  range  addresses 

When  the  maximum  number  of  groups  is  in  forwarding  table,  the  default  IGMP  throttling  action  is  to 
deny  the  IGMP  report.  For  configuration  guidelines,  see  the  "Configuring  the  IGMP  Throttling  Action" 
section  on  page  17-27. 

Configuring  IGMP  Profiles 

To  configure  an  IGMP  profile,  use  the  ip  igmp  profile  global  configuration  command  with  a  profile 
number  to  create  an  IGMP  profile  and  to  enter  IGMP  profile  configuration  mode.  From  this  mode,  you 
can  specify  the  parameters  of  the  IGMP  profile  to  be  used  for  filtering  IGMP  join  requests  from  a  port. 
When  you  are  in  IGMP  profile  configuration  mode,  you  can  create  the  profile  by  using  these  commands: 

•  deny:  Specifies  that  matching  addresses  are  denied;  this  is  the  default. 

•  exit:  Exits  from  igmp-profile  configuration  mode. 

•  no:  Negates  a  command  or  returns  to  its  defaults. 
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•  permit:  Specifies  that  matching  addresses  are  permitted. 

•  range:  Specifies  a  range  of  IP  addresses  for  the  profile.  You  can  enter  a  single  IP  address  or  a  range 
with  a  start  and  an  end  address. 

The  default  is  for  the  switch  to  have  no  IGMP  profiles  configured.  When  a  profile  is  configured,  if 
neither  the  permit  nor  deny  keyword  is  included,  the  default  is  to  deny  access  to  the  range  of  IP 
addresses. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  an  IGMP  profile: 


Step  1 
Step  2 

Step  3 

Step  4 


Step  5 
Step  6 
Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  igmp  profile  profile  number 

Assign  a  number  to  the  profile  you  are  configuring,  and  enter  IGMP 
profile  configuration  mode.  The  profile  number  range  is  1  to 
4294967295. 

permit  I  deny 

(Optional)  Set  the  action  to  permit  or  deny  access  to  the  IP  multicast 
address.  If  no  action  is  configured,  the  default  for  the  profile  is  to  deny 
access. 

range  ip  multicast  address 

Enter  the  IP  multicast  address  or  range  of  IP  multicast  addresses  to 
which  access  is  being  controlled.  If  entering  a  range,  enter  the  low  IP 
multicast  address,  a  space,  and  the  high  IP  multicast  address. 

You  can  use  the  range  command  multiple  times  to  enter  multiple 
addresses  or  ranges  of  addresses. 

end 

Return  to  privileged  EXEC  mode. 

show  ip  igmp  profile  profile  number 

Verify  the  profile  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  delete  a  profile,  use  the  no  ip  igmp  profile  profile  number  global  configuration  command. 

To  delete  an  IP  multicast  address  or  range  of  IP  multicast  addresses,  use  the  no  range  ip  multicast 
address  IGMP  profile  configuration  command. 

This  example  shows  how  to  create  IGMP  profile  4  allowing  access  to  the  single  IP  multicast  address  and 
how  to  verify  the  configuration.  If  the  action  was  to  deny  (the  default),  it  would  not  appear  in  the  show 
ip  igmp  profile  output  display. 

Switch (config) #  ip  igmp  profile  4 

Switch (conf ig-igmp-prof ile) #  permit 

Switch (conf ig-igmp-prof ile ) #  range  229.9.9.0 

Switch ( conf ig-igmp-prof ile ) #  end 

Switch*  show  ip  igmp  profile  4 

IGMP  Profile  4 
permit 

range  229.9.9.0  229.9.9.0 


Applying  IGMP  Profiles 

To  control  access  as  defined  in  an  IGMP  profile,  use  the  ip  igmp  filter  interface  configuration  command 
to  apply  the  profile  to  the  appropriate  interfaces.  You  can  apply  IGMP  profiles  only  to  Layer  2  access 
ports.  You  cannot  apply  profiles  to  ports  that  belong  to  an  EtherChannel  port  group.  You  can  apply  a 
profile  to  multiple  interfaces,  but  each  interface  can  have  only  one  profile  applied  to  it. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  apply  an  IGMP  profile  to  a  switch  port: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  physical  interface,  and  enter  interface  configuration  mode. 
The  interface  must  be  a  Layer  2  port  that  does  not  belong  to  an 
EtherChannel  port  group. 

ip  igmp  filter  profile  number 

Apply  the  specified  IGMP  profile  to  the  interface.  The  range  is  1  to 
4294967295. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config  interface 

interface-id 

Verify  the  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  a  profile  from  an  interface,  use  the  no  ip  igmp  filter  profile  number  interface  configuration 
command. 

This  example  shows  how  to  apply  IGMP  profile  4  to  a  port: 

Switch (config) #  interface  gigabitethernetO/2 

Switch (config-if) #  ip  igmp  filter  4 

Switch (config-if) #  end 


Setting  the  Maximum  Number  of  IGMP  Groups 


You  can  set  the  maximum  number  of  IGMP  groups  that  a  Layer  2  interface  can  join  by  using  the  ip  igmp 
max-groups  interface  configuration  command.  Use  the  no  form  of  this  command  to  set  the  maximum 
back  to  the  default,  which  is  no  limit. 

You  can  use  this  command  on  a  logical  EtherChannel  interface  but  cannot  use  it  on  ports  that  belong  to 
an  EtherChannel  port  group. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  set  the  maximum  number  of  IGMP  groups  in 
the  forwarding  table: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  to  be  configured,  and  enter  interface  configuration 
mode.  The  interface  can  be  a  Layer  2  port  that  does  not  belong  to  an 
EtherChannel  group  or  a  EtherChannel  interface. 

ip  igmp  max-groups  number 

Set  the  maximum  number  of  IGMP  groups  that  the  interface  can  join. 
The  range  is  0  to  4294967294.  The  default  is  to  have  no  maximum  set. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config  interface 

interface-id 

Verify  the  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  remove  the  maximum  group  limitation  and  return  to  the  default  of  no  maximum,  use  the  no  ip  igmp 
max-groups  interface  configuration  command. 

This  example  shows  how  to  limit  to  25  the  number  of  IGMP  groups  that  a  port  can  join. 

Switch (config) #  interface  gigabitethernetO/2 
Switch (config-if) #  ip  igmp  max-groups  25 

Switch (config-if) #  end 


Configuring  the  IGMP  Throttling  Action 

After  you  set  the  maximum  number  of  IGMP  groups  that  a  Layer  2  interface  can  join,  you  can  configure 
an  interface  to  replace  the  existing  group  with  the  new  group  for  which  the  IGMP  report  was  received 
by  using  the  ip  igmp  max-groups  action  replace  interface  configuration  command.  Use  the  no  form  of 
this  command  to  return  to  the  default,  which  is  to  drop  the  IGMP  join  report. 

Follow  these  guidelines  when  configuring  the  IGMP  throttling  action: 

•  You  can  use  this  command  on  a  logical  EtherChannel  interface  but  cannot  use  it  on  ports  that  belong 
to  an  EtherChannel  port  group. 

•  When  the  maximum  group  limitation  is  set  to  the  default  (no  maximum),  entering  the  ip  igmp 
max-groups  action  {deny  I  replace)  command  has  no  effect. 

•  If  you  configure  the  throttling  action  and  set  the  maximum  group  limitation  after  an  interface  has 
added  multicast  entries  to  the  forwarding  table,  the  forwarding-table  entries  are  either  aged  out  or 
removed,  depending  on  the  throttling  action. 

-  If  you  configure  the  throttling  action  as  deny,  the  entries  that  were  previously  in  the  forwarding 
table  are  not  removed  but  are  aged  out.  After  these  entries  are  aged  out  and  the  maximum 
number  of  entries  is  in  the  forwarding  table,  the  switch  drops  the  next  IGMP  report  received  on 
the  interface. 

-  If  you  configure  the  throttling  action  as  replace,  the  entries  that  were  previously  in  the 
forwarding  table  are  removed.  When  the  maximum  number  of  entries  is  in  the  forwarding  table, 
the  switch  replaces  a  randomly  selected  entry  with  the  received  IGMP  report. 

To  prevent  the  switch  from  removing  the  forwarding-table  entries,  you  can  configure  the  IGMP 
throttling  action  before  an  interface  adds  entries  to  the  forwarding  table. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  throttling  action  when  the 
maximum  number  of  entries  is  in  the  forwarding  table: 


Step  1 
Step  2 


Step  3 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  physical  interface  to  be  configured,  and  enter  interface 
configuration  mode.  The  interface  can  be  a  Layer  2  port  that  does  not 
belong  to  an  EtherChannel  group  or  an  EtherChannel  interface.  The 
interface  cannot  be  a  trunk  port. 

ip  igmp  max-groups  action  {deny  I 
replace} 

When  an  interface  receives  an  IGMP  report  and  the  maximum  number 
of  entries  is  in  the  forwarding  table,  specify  the  action  that  the  interface 
takes: 

•  deny — Drop  the  report. 

•  replace — Replace  the  existing  group  with  the  new  group  for  which 
the  IGMP  report  was  received. 

I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  j 


17-27 


M Displaying  IGMP  Filtering  and  Throttling  Configuration 


Chapter  17     Configuring  IGMP  Snooping  and  MVR  | 


Command 

Purpose 

Step  4 

end 

Return  to  privileged  EXEC  mode. 

Step  5 

show  running-config  interface 

Verify  the  configuration. 

interface-id 

Step  6 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  action  of  dropping  the  report,  use  the  no  ip  igmp  max-groups  action  interface 
configuration  command. 


Displaying  IGMP  Filtering  and  Throttling  Configuration 

You  can  display  IGMP  profile  characteristics,  and  you  can  display  the  IGMP  profile  and  maximum  group 
configuration  for  all  interfaces  on  the  switch  or  for  a  specified  interface.  You  can  also  display  the  IGMP 
throttling  configuration  for  all  interfaces  on  the  switch  or  for  a  specified  interface. 

Use  the  privileged  EXEC  commands  in  Table  17-8  to  display  IGMP  filtering  and  throttling 
configuration: 


Table  17-8  Commands  for  Displaying  IGMP  Filtering  and  Throttling  Configuration 


Command 

Purpose 

show  ip  igmp  profile  [profile 
number] 

Displays  the  specified  IGMP  profile  or  all  the  IGMP  profiles  defined  on  the  switch. 

show  running-config  [interface 

interface-id] 

Displays  the  configuration  of  the  specified  interface  or  the  configuration  of  all  interfaces 
on  the  switch,  including  (if  configured)  the  maximum  number  of  IGMP  groups  to  which 
an  interface  can  belong  and  the  IGMP  profile  applied  to  the  interface. 
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Configuring  Port-Based  Traffic  Control 


This  chapter  describes  how  to  configure  the  port-based  traffic  control  features  on  the  switch. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

This  chapter  consists  of  these  sections: 

•  Configuring  Storm  Control,  page  18-1 

•  Configuring  Protected  Ports,  page  18-5 

•  Configuring  Port  Blocking,  page  18-6 

•  Configuring  Port  Security,  page  18-7 

•  Displaying  Port-Based  Traffic  Control  Settings,  page  18-17 

Configuring  Storm  Control 

These  sections  contain  this  conceptual  and  configuration  information: 

•  Understanding  Storm  Control,  page  18-1 

•  Default  Storm  Control  Configuration,  page  18-3 

•  Configuring  Storm  Control  and  Threshold  Levels,  page  18-3 

Understanding  Storm  Control 

Storm  control  prevents  traffic  on  a  LAN  from  being  disrupted  by  a  broadcast,  multicast,  or  unicast  storm 
on  one  of  the  physical  interfaces.  A  LAN  storm  occurs  when  packets  flood  the  LAN,  creating  excessive 
traffic  and  degrading  network  performance.  Errors  in  the  protocol-stack  implementation,  mistakes  in 
network  configurations,  or  users  issuing  a  denial-of-service  attack  can  cause  a  storm. 

Storm  control  (or  traffic  suppression)  monitors  packets  passing  from  an  interface  to  the  switching  bus 
and  determines  if  the  packet  is  unicast,  multicast,  or  broadcast.  The  switch  counts  the  number  of  packets 
of  a  specified  type  received  within  the  1 -second  time  interval  and  compares  the  measurement  with  a 
predefined  suppression-level  threshold. 
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Storm  control  uses  one  of  these  methods  to  measure  traffic  activity: 

•  Bandwidth  as  a  percentage  of  the  total  available  bandwidth  of  the  port  that  can  be  used  by  the 
broadcast,  multicast,  or  unicast  traffic 

•  Traffic  rate  in  packets  per  second  at  which  broadcast,  multicast,  or  unicast  packets  are  received 
(Cisco  IOS  Release  12.2(25)SE1  or  later) 

•  Traffic  rate  in  bits  per  second  at  which  broadcast,  multicast,  or  unicast  packets  are  received  (Cisco 
IOS  Release  12.2(25)SE1  or  later) 

With  each  method,  the  port  blocks  traffic  when  the  rising  threshold  is  reached.  The  port  remains  blocked 
until  the  traffic  rate  drops  below  the  falling  threshold  (if  one  is  specified)  and  then  resumes  normal 
forwarding.  If  the  falling  suppression  level  is  not  specified,  the  switch  blocks  all  traffic  until  the  traffic 
rate  drops  below  the  rising  suppression  level.  In  general,  the  higher  the  level,  the  less  effective  the 
protection  against  broadcast  storms. 

^   

Note      When  the  storm  control  threshold  for  multicast  traffic  is  reached,  all  multicast  traffic  except  control 

traffic,  such  as  bridge  protocol  data  unit  (BDPU)  and  Cisco  Discovery  Protocol  (CDP)  frames,  are 

blocked. 


The  graph  in  Figure  18-1  shows  broadcast  traffic  patterns  on  an  interface  over  a  given  period  of  time. 
The  example  can  also  be  applied  to  multicast  and  unicast  traffic.  In  this  example,  the  broadcast  traffic 
being  forwarded  exceeded  the  configured  threshold  between  time  intervals  Tl  and  T2  and  between  T4 
and  T5.  When  the  amount  of  specified  traffic  exceeds  the  threshold,  all  traffic  of  that  kind  is  dropped  for 
the  next  time  period.  Therefore,  broadcast  traffic  is  blocked  during  the  intervals  following  T2  and  T5. 
At  the  next  time  interval  (for  example,  T3),  if  broadcast  traffic  does  not  exceed  the  threshold,  it  is  again 
forwarded. 


Figure  18-1        Broadcast  Storm  Control  Example 
A 


Total 

number  of 
broadcast 
packets 
or  bytes  ■ 


Forwarded  traffic 
Blocked  traffic 


The  combination  of  the  storm-control  suppression  level  and  the  1-second  time  interval  controls  the  way 
the  storm  control  algorithm  works.  A  higher  threshold  allows  more  packets  to  pass  through.  A  threshold 
value  of  100  percent  means  that  no  limit  is  placed  on  the  traffic.  A  value  of  0.0  means  that  all  broadcast, 
multicast,  or  unicast  traffic  on  that  port  is  blocked. 


Note      Because  packets  do  not  arrive  at  uniform  intervals,  the  1-second  time  interval  during  which  traffic 
activity  is  measured  can  affect  the  behavior  of  storm  control. 
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You  use  the  storm-control  interface  configuration  commands  to  set  the  threshold  value  for  each 
traffic  type. 

Default  Storm  Control  Configuration 

By  default,  unicast,  broadcast,  and  multicast  storm  control  are  disabled  on  the  switch  interfaces;  that  is, 
the  suppression  level  is  100  percent. 

Configuring  Storm  Control  and  Threshold  Levels 

You  configure  storm  control  on  a  port  and  enter  the  threshold  level  that  you  want  to  be  used  for  a 
particular  type  of  traffic. 

However,  because  of  hardware  limitations  and  the  way  in  which  packets  of  different  sizes  are  counted, 
threshold  percentages  are  approximations.  Depending  on  the  sizes  of  the  packets  making  up  the 
incoming  traffic,  the  actual  enforced  threshold  might  differ  from  the  configured  level  by  several 
percentage  points. 

V   

Note      Storm  control  is  supported  on  physical  interfaces.  You  can  also  configure  storm  control  on  an  EtherChannel. 
When  storm  control  is  configured  on  an  EtherChannel,  the  storm  control  settings  propagate  to  the 
EtherChannel  physical  interfaces. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  storm  control  and  threshold  levels: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  interface  to  be  configured,  and  enter  interface 

configuration  mode. 

I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  j 


18-3 


S    Configuring  Storm  Control 


Chapter  18     Configuring  Port-Based  Traffic  Control  | 


Command 


Purpose 


Step  3 


storm-control  {broadcast  I  multicast  I 
unicast}  level  {level  [level-low]  I  bps  bps 
[bps-low]  I  pps  pps  [pps-low] } 


Configure  broadcast,  multicast,  or  unicast  storm  control.  By 
default,  storm  control  is  disabled. 

The  keywords  have  these  meanings: 

•  For  level,  specify  the  rising  threshold  level  for  broadcast, 
multicast,  or  unicast  traffic  as  a  percentage  (up  to  two  decimal 
places)  of  the  bandwidth.  The  port  blocks  traffic  when  the 
rising  threshold  is  reached.  The  range  is  0.00  to  100.00. 

•  (Optional)  For  level-low,  specify  the  falling  threshold  level  as 
a  percentage  (up  to  two  decimal  places)  of  the  bandwidth.  This 
value  must  be  less  than  or  equal  to  the  rising  suppression 
value.  The  port  forwards  traffic  when  traffic  drops  below  this 
level.  If  you  do  not  configure  a  falling  suppression  level,  it  is 
set  to  the  rising  suppression  level.  The  range  is  0.00  to  100.00. 

If  you  set  the  threshold  to  the  maximum  value  (100  percent), 
no  limit  is  placed  on  the  traffic.  If  you  set  the  threshold  to  0.0, 
all  broadcast,  multicast,  and  unicast  traffic  on  that  port  is 
blocked. 

•  For  bps  bps,  specify  the  rising  threshold  level  for  broadcast, 
multicast,  or  unicast  traffic  in  bits  per  second  (up  to  one 
decimal  place).  The  port  blocks  traffic  when  the  rising 
threshold  is  reached.  The  range  is  0.0  to  10000000000.0. 

•  (Optional)  For  bps-low,  specify  the  falling  threshold  level  in 
bits  per  second  (up  to  one  decimal  place).  It  can  be  less  than  or 
equal  to  the  rising  threshold  level.  The  port  forwards  traffic 
when  traffic  drops  below  this  level.  The  range  is  0.0  to 
10000000000.0. 

•  For  pps  pps,  specify  the  rising  threshold  level  for  broadcast, 
multicast,  or  unicast  traffic  in  packets  per  second  (up  to  one 
decimal  place).  The  port  blocks  traffic  when  the  rising 
threshold  is  reached.  The  range  is  0.0  to  10000000000.0. 

•  (Optional)  For  pps-low,  specify  the  falling  threshold  level  in 
packets  per  second  (up  to  one  decimal  place).  It  can  be  less 
than  or  equal  to  the  rising  threshold  level.  The  port  forwards 
traffic  when  traffic  drops  below  this  level.  The  range  is  0.0  to 
10000000000.0. 

For  BPS  and  PPS  settings,  you  can  use  metric  suffixes  such  as  k, 
m,  and  g  for  large  number  thresholds. 


Step  4      storm-control  action  {shutdown  I  trap) 


Step  5  end 


Specify  the  action  to  be  taken  when  a  storm  is  detected.  The  default 
is  to  filter  out  the  traffic  and  not  to  send  traps. 

•  Select  the  shutdown  keyword  to  error-disable  the  port  during 
a  storm. 

•  Select  the  trap  keyword  to  generate  an  SNMP  trap  when  a 
storm  is  detected. 

Return  to  privileged  EXEC  mode. 
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Command 


Purpose 


Step  6     show  storm-control  [interface-id]  [broadcast  I 
multicast  I  unicast] 


Verify  the  storm  control  suppression  levels  set  on  the  interface  for 
the  specified  traffic  type.  If  you  do  not  enter  a  traffic  type, 
broadcast  storm  control  settings  are  displayed. 


Step  7     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


To  disable  storm  control,  use  the  no  storm-control  {broadcast  I  multicast  I  unicast}  level  interface 
configuration  command. 

This  example  shows  how  to  enable  unicast  storm  control  on  a  port  with  an  87-percent  rising  suppression 
level  and  a  65-percent  falling  suppression  level: 

Switch#  configure  terminal 

Switch (config) #  interface  gigabitethernetO/1 

Switch ( config-if ) #  storm-control  unicast  level  87  65 

This  example  shows  how  to  enable  broadcast  address  storm  control  on  a  port  to  a  level  of  20  percent. 
When  the  broadcast  traffic  exceeds  the  configured  level  of  20  percent  of  the  total  available  bandwidth 
of  the  port  within  the  traffic-storm-control  interval,  the  switch  drops  all  broadcast  traffic  until  the  end 
of  the  traffic-storm-control  interval: 

Switch#  configure  terminal 

Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if ) #  storm-control  broadcast  level  20 


Some  applications  require  that  no  traffic  be  forwarded  at  Layer  2  between  ports  on  the  same  switch  so 
that  one  neighbor  does  not  see  the  traffic  generated  by  another  neighbor.  In  such  an  environment,  the 
use  of  protected  ports  ensures  that  there  is  no  exchange  of  unicast,  broadcast,  or  multicast  traffic  between 
these  ports  on  the  switch. 

Protected  ports  have  these  features: 

•  A  protected  port  does  not  forward  any  traffic  (unicast,  multicast,  or  broadcast)  to  any  other  port  that 
is  also  a  protected  port.  Data  traffic  cannot  be  forwarded  between  protected  ports  at  Layer  2;  only 
control  traffic,  such  as  PIM  packets,  is  forwarded  because  these  packets  are  processed  by  the  CPU 
and  forwarded  in  software.  All  data  traffic  passing  between  protected  ports  must  be  forwarded 
through  a  Layer  3  device. 

•  Forwarding  behavior  between  a  protected  port  and  a  nonprotected  port  proceeds  as  usual. 
These  sections  contain  this  configuration  information: 

•  Default  Protected  Port  Configuration,  page  18-6 

•  Protected  Port  Configuration  Guidelines,  page  18-6 

•  Configuring  a  Protected  Port,  page  18-6 
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Default  Protected  Port  Configuration 

The  default  is  to  have  no  protected  ports  defined. 

Protected  Port  Configuration  Guidelines 

You  can  configure  protected  ports  on  a  physical  interface  (for  example,  Gigabit  Ethernet  port  1)  or  an 
EtherChannel  group  (for  example,  port-channel  5).  When  you  enable  protected  ports  for  a  port  channel, 
it  is  enabled  for  all  ports  in  the  port-channel  group. 

Configuring  a  Protected  Port 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  define  a  port  as  a  protected  port: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  to  be  configured,  and  enter  interface 
configuration  mode. 

switchport  protected 

Configure  the  interface  to  be  a  protected  port. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id  switchport 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 

Step  3 
Step  4 
Step  5 
Step  6 


To  disable  protected  port,  use  the  no  switchport  protected  interface  configuration  command. 
This  example  shows  how  to  configure  a  port  as  a  protected  port: 

Switch#  configure  terminal 

Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if) #  switchport  protected 

Switch (config-if) #  end 


Configuring  Port  Blocking 

By  default,  the  switch  floods  packets  with  unknown  destination  MAC  addresses  out  of  all  ports.  If 
unknown  unicast  and  multicast  traffic  is  forwarded  to  a  protected  port,  there  could  be  security  issues.  To 
prevent  unknown  unicast  or  multicast  traffic  from  being  forwarded  from  one  port  to  another,  you  can 
block  a  port  (protected  or  nonprotected)  from  flooding  unknown  unicast  or  multicast  packets  to  other 
ports. 

These  sections  contain  this  configuration  information: 

•  Default  Port  Blocking  Configuration,  page  18-7 

•  Blocking  Flooded  Traffic  on  an  Interface,  page  18-7 
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Default  Port  Blocking  Configuration 

The  default  is  to  not  block  flooding  of  unknown  multicast  and  unicast  traffic  out  of  a  port,  but  to  flood 
these  packets  to  all  ports. 


Blocking  Flooded  Traffic  on  an  Interface 

X   

Note      The  interface  can  be  a  physical  interface  or  an  EtherChannel  group.  When  you  block  multicast  or  unicast 
traffic  for  a  port  channel,  it  is  blocked  on  all  ports  in  the  port-channel  group. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  the  flooding  of  multicast  and  unicast 
packets  out  of  an  interface: 


Step  4 
Step  5 
Step  6 
Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  to  be  configured,  and  enter  interface 
configuration  mode. 

switchport  block  multicast 

Block  unknown  multicast  forwarding  out  of  the  port. 

switchport  block  unicast 

Block  unknown  unicast  forwarding  out  of  the  port. 

end 

Return  to  privileged  EXEC  mode. 

show  interfaces  interface-id  switchport 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  the  interface  to  the  default  condition  where  no  traffic  is  blocked  and  normal  forwarding  occurs 
on  the  port,  use  the  no  switchport  block  {multicast  I  unicast}  interface  configuration  commands. 

This  example  shows  how  to  block  unicast  and  multicast  flooding  on  a  port: 

Switch*  configure  terminal 

Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if) #  switchport  block  multicast 
Switch (config-if) #  switchport  block  unicast 

Switch (config-if ) #  end 


Configuring  Port  Security 

You  can  use  the  port  security  feature  to  restrict  input  to  an  interface  by  limiting  and  identifying  MAC 
addresses  of  the  stations  allowed  to  access  the  port.  When  you  assign  secure  MAC  addresses  to  a  secure 
port,  the  port  does  not  forward  packets  with  source  addresses  outside  the  group  of  defined  addresses.  If 
you  limit  the  number  of  secure  MAC  addresses  to  one  and  assign  a  single  secure  MAC  address,  the 
workstation  attached  to  that  port  is  assured  the  full  bandwidth  of  the  port. 

If  a  port  is  configured  as  a  secure  port  and  the  maximum  number  of  secure  MAC  addresses  is  reached, 
when  the  MAC  address  of  a  station  attempting  to  access  the  port  is  different  from  any  of  the  identified 
secure  MAC  addresses,  a  security  violation  occurs.  Also,  if  a  station  with  a  secure  MAC  address 
configured  or  learned  on  one  secure  port  attempts  to  access  another  secure  port,  a  violation  is  flagged. 
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These  sections  contain  this  conceptual  and  configuration  information: 

•  Understanding  Port  Security,  page  18-8 

•  Default  Port  Security  Configuration,  page  18-10 

•  Port  Security  Configuration  Guidelines,  page  18-10 

•  Enabling  and  Configuring  Port  Security,  page  18-11 

•  Enabling  and  Configuring  Port  Security  Aging,  page  18-16 

Understanding  Port  Security 

These  sections  contain  this  conceptual  information: 

•  Secure  MAC  Addresses,  page  18-8 

•  Security  Violations,  page  18-9 

Secure  MAC  Addresses 

You  configure  the  maximum  number  of  secure  addresses  allowed  on  a  port  by  using  the  switchport 
port-security  maximum  value  interface  configuration  command. 

^   

Note      If  you  try  to  set  the  maximum  value  to  a  number  less  than  the  number  of  secure  addresses  already 
configured  on  an  interface,  the  command  is  rejected. 


The  switch  supports  these  types  of  secure  MAC  addresses: 

•  Static  secure  MAC  addresses — These  are  manually  configured  by  using  the  switchport 
port-security  mac-address  mac-address  interface  configuration  command,  stored  in  the  address 
table,  and  added  to  the  switch  running  configuration. 

•  Dynamic  secure  MAC  addresses — These  are  dynamically  configured,  stored  only  in  the  address 
table,  and  removed  when  the  switch  restarts. 

•  Sticky  secure  MAC  addresses — These  can  be  dynamically  learned  or  manually  configured,  stored  in 
the  address  table,  and  added  to  the  running  configuration.  If  these  addresses  are  saved  in  the 
configuration  file,  when  the  switch  restarts,  the  interface  does  not  need  to  dynamically  reconfigure 
them. 

You  can  configure  an  interface  to  convert  the  dynamic  MAC  addresses  to  sticky  secure  MAC  addresses 
and  to  add  them  to  the  running  configuration  by  enabling  sticky  learning.  To  enable  sticky  learning,  enter 
the  switchport  port-security  mac-address  sticky  interface  configuration  command.  When  you  enter 
this  command,  the  interface  converts  all  the  dynamic  secure  MAC  addresses,  including  those  that  were 
dynamically  learned  before  sticky  learning  was  enabled,  to  sticky  secure  MAC  addresses.  All  sticky 
secure  MAC  addresses  are  added  to  the  running  configuration. 

The  sticky  secure  MAC  addresses  do  not  automatically  become  part  of  the  configuration  file,  which  is 
the  startup  configuration  used  each  time  the  switch  restarts.  If  you  save  the  sticky  secure  MAC  addresses 
in  the  configuration  file,  when  the  switch  restarts,  the  interface  does  not  need  to  relearn  these  addresses. 
If  you  do  not  save  the  sticky  secure  addresses,  they  are  lost. 

If  sticky  learning  is  disabled,  the  sticky  secure  MAC  addresses  are  converted  to  dynamic  secure 
addresses  and  are  removed  from  the  running  configuration. 
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The  maximum  number  of  secure  MAC  addresses  that  you  can  configure  on  a  switch  is  set  by  the 
maximum  number  of  available  MAC  addresses  allowed  in  the  system.  This  number  is  the  total  of 
available  MAC  addresses,  including  those  used  for  other  Layer  2  functions  and  any  other  secure  MAC 
addresses  configured  on  interfaces. 


Security  Violations 

It  is  a  security  violation  when  one  of  these  situations  occurs: 

•  The  maximum  number  of  secure  MAC  addresses  have  been  added  to  the  address  table,  and  a  station 
whose  MAC  address  is  not  in  the  address  table  attempts  to  access  the  interface. 

•  An  address  learned  or  configured  on  one  secure  interface  is  seen  on  another  secure  interface  in  the 
same  VLAN. 

You  can  configure  the  interface  for  one  of  three  violation  modes,  based  on  the  action  to  be  taken  if  a 
violation  occurs: 

•  protect — when  the  number  of  secure  MAC  addresses  reaches  the  maximum  limit  allowed  on  the 
port,  packets  with  unknown  source  addresses  are  dropped  until  you  remove  a  sufficient  number  of 
secure  MAC  addresses  to  drop  below  the  maximum  value  or  increase  the  number  of  maximum 
allowable  addresses.  You  are  not  notified  that  a  security  violation  has  occurred. 

X   

Note  We  do  not  recommend  configuring  the  protect  violation  mode  on  a  trunk  port.  The  protect 
mode  disables  learning  when  any  VLAN  reaches  its  maximum  limit,  even  if  the  port  has  not 
reached  its  maximum  limit. 


•  restrict — when  the  number  of  secure  MAC  addresses  reaches  the  maximum  limit  allowed  on  the 
port,  packets  with  unknown  source  addresses  are  dropped  until  you  remove  a  sufficient  number  of 
secure  MAC  addresses  to  drop  below  the  maximum  value  or  increase  the  number  of  maximum 
allowable  addresses.  In  this  mode,  you  are  notified  that  a  security  violation  has  occurred.  An  SNMP 
trap  is  sent,  a  syslog  message  is  logged,  and  the  violation  counter  increments. 

•  shutdown — a  port  security  violation  causes  the  interface  to  become  error-disabled  and  to  shut  down 
immediately,  and  the  port  LED  turns  off.  An  SNMP  trap  is  sent,  a  syslog  message  is  logged,  and  the 
violation  counter  increments.  When  a  secure  port  is  in  the  error-disabled  state,  you  can  bring  it  out 
of  this  state  by  entering  the  errdisable  recovery  cause  psecure-violation  global  configuration 
command,  or  you  can  manually  re-enable  it  by  entering  the  shutdown  and  no  shut  down  interface 
configuration  commands.  This  is  the  default  mode. 

•  shutdown  vlan — Use  to  set  the  security  violation  mode  per- VLAN.  In  this  mode,  the  VLAN  is  error 
disabled  instead  of  the  entire  port  when  a  violation  occurs. 

Table  18-1  shows  the  violation  mode  and  the  actions  taken  when  you  configure  an  interface  for  port 
security. 


Table  18-1          Security  Violation  Mode  Actions 


Violation  Mode 

Traffic  is 
forwarded1 

Sends  SNMP 
trap 

Sends  syslog 
message 

Displays  error 
message2 

Violation 

counter 

increments 

Shuts  down  port 

protect 

No 

No 

No 

No 

No 

No 

restrict 

No 

Yes 

Yes 

No 

Yes 

No 
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Table  18-1          Security  Violation  Mode  Actions  (continued) 


Violation  Mode 

Traffic  is 
forwarded1 

Sends  SNMP 
trap 

Sends  syslog 
message 

Displays  error 
message2 

Violation 

counter 

increments 

Shuts  down  port 

shutdown 

No 

Yes 

Yes 

No 

Yes 

Yes 

shutdown  vlan 

No 

Yes 

Yes 

No 

Yes 

No3 

1.  Packets  with  unknown  source  addresses  are  dropped  until  you  remove  a  sufficient  number  of  secure  MAC  addresses. 

2.  The  switch  returns  an  error  message  if  you  manually  configure  an  address  that  would  cause  a  security  violation. 

3.  Shuts  down  only  the  VLAN  on  which  the  violation  occurred. 


Default  Port  Security  Configuration 


Table  18-2  shows  the  default  port  security  configuration  for  an  interface. 
Table  18-2         Default  Port  Security  Configuration 


Feature 

Default  Setting 

Port  security 

Disabled  on  a  port. 

Sticky  address  learning 

Disabled. 

Maximum  number  of  secure 
MAC  addresses  per  port 

1. 

Violation  mode 

Shutdown.  The  port  shuts  down  when  the  maximum  number  of 
secure  MAC  addresses  is  exceeded. 

Port  security  aging 

Disabled.  Aging  time  is  0. 
Static  aging  is  disabled. 
Type  is  absolute. 

Port  Security  Configuration  Guidelines 

Follow  these  guidelines  when  configuring  port  security: 

•  Port  security  can  only  be  configured  on  static  access  ports  or  trunk  ports.  A  secure  port  cannot  be  a 
dynamic  access  port. 

•  A  secure  port  cannot  be  a  destination  port  for  Switched  Port  Analyzer  (SPAN). 

•  A  secure  port  cannot  belong  to  a  Gigabit  EtherChannel  port  group. 

X   

Note     Voice  VLAN  is  only  supported  on  access  ports  and  not  on  trunk  ports,  even  though  the 
configuration  is  allowed. 


•    When  you  enable  port  security  on  an  interface  that  is  also  configured  with  a  voice  VLAN,  set  the 
maximum  allowed  secure  addresses  on  the  port  to  two.  When  the  port  is  connected  to  a  Cisco  IP 
phone,  the  IP  phone  requires  one  MAC  address.  The  Cisco  IP  phone  address  is  learned  on  the  voice 
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VLAN,  but  is  not  learned  on  the  access  VLAN.  If  you  connect  a  single  PC  to  the  Cisco  IP  phone, 
no  additional  MAC  addresses  are  required.  If  you  connect  more  than  one  PC  to  the  Cisco  IP  phone, 
you  must  configure  enough  secure  addresses  to  allow  one  for  each  PC  and  one  for  the  phone. 

•  When  you  enter  a  maximum  secure  address  value  for  an  interface,  and  the  new  value  is  greater  than 
the  previous  value,  the  new  value  overwrites  the  previously  configured  value.  If  the  new  value  is 
less  than  the  previous  value  and  the  number  of  configured  secure  addresses  on  the  interface  exceeds 
the  new  value,  the  command  is  rejected. 

•  The  switch  does  not  support  port  security  aging  of  sticky  secure  MAC  addresses. 
Table  18-3  summarizes  port  security  compatibility  with  other  port-based  features. 


Table  18-3         Port  Security  Compatibility  with  Other  Switch  Features 


Type  of  Port  or  Feature  on  Port 

Compatible  with  Port  Security 

DTP1  port2 

No 

Trunk  port 

Yes 

Dynamic-access  port3 

No 

SPAN  source  port 

Yes 

SPAN  destination  port 

No 

EtherChannel 

No 

Protected  port 

Yes 

IEEE  802. lx  port 

Yes 

Voice  VLAN  port4 

Yes 

Flex  Links 

Yes 

1 .  DTP  =  Dynamic  Trunking  Protocol 

2.  A  port  configured  with  the  switchport  mode  dynamic  interface  configuration  command. 

3.  A  VLAN  Query  Protocol  (VQP)  port  configured  with  the  switchport  access  vlan  dynamic  interface  configuration  command. 

4.  You  must  set  the  maximum  allowed  secure  addresses  on  the  port  to  two  plus  the  maximum  number  of  secure  addresses 
allowed  on  the  access  VLAN. 


Enabling  and  Configuring  Port  Security 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  restrict  input  to  an  interface  by  limiting  and 
identifying  MAC  addresses  of  the  stations  allowed  to  access  the  port: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  to  be  configured,  and  enter  interface  configuration 
mode. 

switchport  mode  {access  1  trunk} 

Set  the  interface  switchport  mode  as  access  or  trunk;  an  interface  in  the 
default  mode  (dynamic  auto)  cannot  be  configured  as  a  secure  port. 

switchport  voice  vlan  vlan-id 

Enable  voice  VLAN  on  a  port. 

vlan-id — Specify  the  VLAN  to  be  used  for  voice  traffic. 

switchport  port-security 

Enable  port  security  on  the  interface. 
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Command 

Purpose 

switchport  port-security 
[maximum  value  [vlan  {vlan-list  I 
{access  I  voice} }]] 

(Optional)  Set  the  maximum  number  of  secure  MAC  addresses  for  the 
interface.  The  maximum  number  of  secure  MAC  addresses  that  you  can 
configure  on  a  switch  is  set  by  the  maximum  number  of  available  MAC 
addresses  allowed  in  the  system.  This  number  is  the  total  of  available  MAC 
addresses,  including  those  used  for  other  Layer  2  functions  and  any  other 
secure  MAC  addresses  configured  on  interfaces. 

(Optional)  vlan — set  a  per- VLAN  maximum  value 

Enter  one  of  these  options  after  you  enter  the  vlan  keyword: 

•  vlan-list — On  a  trunk  port,  you  can  set  a  per- VLAN  maximum  value  on 
a  range  of  VLANs  separated  by  a  hyphen  or  a  series  of  VLANs  separated 
by  commas.  For  nonspecified  VLANs,  the  per- VLAN  maximum  value  is 
used. 

•  access — On  an  access  port,  specify  the  VLAN  as  an  access  VLAN. 

•  voice — On  an  access  port,  specify  the  VLAN  as  a  voice  VLAN. 

Note     The  voice  keyword  is  available  only  if  a  voice  VLAN  is  configured 
on  a  port  and  if  that  port  is  not  the  access  VLAN.  If  an  interface  is 
configured  for  voice  VLAN,  configure  a  maximum  of  two  secure 
MAC  addresses. 
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Command 


Purpose 


Step  7     switchport  port-security  violation 
{protect  I  restrict  I  shutdown  I 
shutdown  vlan) 


(Optional)  Set  the  violation  mode,  the  action  to  be  taken  when  a  security 
violation  is  detected,  as  one  of  these: 

•  protect — When  the  number  of  port  secure  MAC  addresses  reaches  the 
maximum  limit  allowed  on  the  port,  packets  with  unknown  source 
addresses  are  dropped  until  you  remove  a  sufficient  number  of  secure 
MAC  addresses  to  drop  below  the  maximum  value  or  increase  the 
number  of  maximum  allowable  addresses.  You  are  not  notified  that  a 
security  violation  has  occurred. 

Note     We  do  not  recommend  configuring  the  protect  mode  on  a  trunk  port. 
The  protect  mode  disables  learning  when  any  VLAN  reaches  its 
maximum  limit,  even  if  the  port  has  not  reached  its  maximum  limit. 

•  restrict — When  the  number  of  secure  MAC  addresses  reaches  the  limit 
allowed  on  the  port,  packets  with  unknown  source  addresses  are  dropped 
until  you  remove  a  sufficient  number  of  secure  MAC  addresses  or 
increase  the  number  of  maximum  allowable  addresses.  An  SNMP  trap  is 
sent,  a  syslog  message  is  logged,  and  the  violation  counter  increments. 

•  shutdown — The  interface  is  error-disabled  when  a  violation  occurs,  and 
the  port  LED  turns  off.  An  SNMP  trap  is  sent,  a  syslog  message  is  logged, 
and  the  violation  counter  increments. 

•  shutdown  vlan — Use  to  set  the  security  violation  mode  per  VLAN.  In 
this  mode,  the  VLAN  is  error  disabled  instead  of  the  entire  port  when  a 
violation  occurs. 

Note     When  a  secure  port  is  in  the  error-disabled  state,  you  can  bring  it  out 
of  this  state  by  entering  the  errdisable  recovery  cause 
psecure-violation  global  configuration  command.  You  can  manually 
re-enable  it  by  entering  the  shutdown  and  no  shutdown  interface 
configuration  commands  or  by  using  the  clear  errdisable  interface 
vlan  privileged  EXEC  command. 
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Command 


Purpose 


Step  8 


Step  9 


Step  10 


switchport  port-security 
[mac-address  mac-address  [vlan 
{vlan-id  I  {access  I  voice}}] 


switchport  port-security 
mac-address  sticky 


(Optional)  Enter  a  secure  MAC  address  for  the  interface.  You  can  use  this 
command  to  enter  the  maximum  number  of  secure  MAC  addresses.  If  you 
configure  fewer  secure  MAC  addresses  than  the  maximum,  the  remaining 
MAC  addresses  are  dynamically  learned. 

Note     If  you  enable  sticky  learning  after  you  enter  this  command,  the  secure 
addresses  that  were  dynamically  learned  are  converted  to  sticky 
secure  MAC  addresses  and  are  added  to  the  running  configuration. 

(Optional)  vlan — set  a  per- VLAN  maximum  value. 

Enter  one  of  these  options  after  you  enter  the  vlan  keyword: 

•  vlan-id — On  a  trunk  port,  you  can  specify  the  VLAN  ID  and  the  MAC 
address.  If  you  do  not  specify  a  VLAN  ID,  the  native  VLAN  is  used. 

•  access — On  an  access  port,  specify  the  VLAN  as  an  access  VLAN. 

•  voice — On  an  access  port,  specify  the  VLAN  as  a  voice  VLAN. 

Note     The  voice  keyword  is  available  only  if  a  voice  VLAN  is  configured 
on  a  port  and  if  that  port  is  not  the  access  VLAN.  If  an  interface  is 
configured  for  voice  VLAN,  configure  a  maximum  of  two  secure 
MAC  addresses. 

(Optional)  Enable  sticky  learning  on  the  interface. 


switchport  port-security 
mac-address  sticky  [mac-address  I 
vlan  {vlan-id  I  {access  I  voice}}] 


(Optional)  Enter  a  sticky  secure  MAC  address,  repeating  the  command  as 
many  times  as  necessary.  If  you  configure  fewer  secure  MAC  addresses  than 
the  maximum,  the  remaining  MAC  addresses  are  dynamically  learned,  are 
converted  to  sticky  secure  MAC  addresses,  and  are  added  to  the  running 
configuration. 

Note  If  you  do  not  enable  sticky  learning  before  this  command  is  entered, 
an  error  message  appears,  and  you  cannot  enter  a  sticky  secure  MAC 
address. 

(Optional)  vlan — set  a  per- VLAN  maximum  value. 

Enter  one  of  these  options  after  you  enter  the  vlan  keyword: 

•  vlan-id — On  a  trunk  port,  you  can  specify  the  VLAN  ID  and  the  MAC 
address.  If  you  do  not  specify  a  VLAN  ID,  the  native  VLAN  is  used. 

•  access — On  an  access  port,  specify  the  VLAN  as  an  access  VLAN. 

•  voice — On  an  access  port,  specify  the  VLAN  as  a  voice  VLAN. 

Note     The  voice  keyword  is  available  only  if  a  voice  VLAN  is  configured 
on  a  port  and  if  that  port  is  not  the  access  VLAN. 


Step  11  end 

Step  12    show  port-security 

Step  13    copy  running-config 
startup-config 


Return  to  privileged  EXEC  mode. 


Verify  your  entries. 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  return  the  interface  to  the  default  condition  as  not  a  secure  port,  use  the  no  switchport  port-security 
interface  configuration  command.  If  you  enter  this  command  when  sticky  learning  is  enabled,  the  sticky 
secure  addresses  remain  part  of  the  running  configuration  but  are  removed  from  the  address  table.  All 
addresses  are  now  dynamically  learned. 

To  return  the  interface  to  the  default  number  of  secure  MAC  addresses,  use  the  no  switchport 
port-security  maximum  value  interface  configuration  command.  To  return  the  violation  mode  to  the 
default  condition  (shutdown  mode),  use  the  no  switchport  port-security  violation  {protocol  I  restrict} 

interface  configuration  command. 

To  disable  sticky  learning  on  an  interface,  use  the  no  switchport  port-security  mac-address  sticky 

interface  configuration  command.  The  interface  converts  the  sticky  secure  MAC  addresses  to  dynamic 
secure  addresses.  However,  if  you  have  previously  saved  the  configuration  with  the  sticky  MAC 
addresses,  you  should  save  the  configuration  again  after  entering  the  no  switchport  port-security 
mac-address  sticky  command,  or  the  sticky  addresses  will  be  restored  if  the  switch  reboots. 

Use  the  clear  port-security  {all  I  configured  I  dynamic  I  sticky}  privileged  EXEC  command  to  delete 
from  the  MAC  address  table  all  secure  addresses  or  all  secure  addresses  of  a  specific  type  (configured, 
dynamic,  or  sticky)  on  the  switch  or  on  an  interface. 

To  delete  a  specific  secure  MAC  address  from  the  address  table,  use  the  no  switchport  port-security 
mac-address  mac-address  interface  configuration  command.  To  delete  all  dynamic  secure  addresses  on 
an  interface  from  the  address  table,  enter  the  no  switchport  port-security  interface  configuration 
command  followed  by  the  switchport  port-security  command  (to  re-enable  port  security  on  the 
interface).  If  you  use  the  no  switchport  port-security  mac-address  sticky  interface  configuration 
command  to  convert  sticky  secure  MAC  addresses  to  dynamic  secure  MAC  addresses  before  entering 
the  no  switchport  port-security  command,  all  secure  addresses  on  the  interface  except  those  that  were 
manually  configured  are  deleted. 

You  must  specifically  delete  configured  secure  MAC  addresses  from  the  address  table  by  using  the  no 
switchport  port-security  mac-address  mac-address  interface  configuration  command. 

This  example  shows  how  to  enable  port  security  on  a  port  and  to  set  the  maximum  number  of  secure 
addresses  to  50.  The  violation  mode  is  the  default,  no  static  secure  MAC  addresses  are  configured,  and 
sticky  learning  is  enabled. 

Switch (config) #  interface  gigabitethernetO/1 

Switch ( config-if ) #  switchport  mode  access 

Switch (config-if) #  switchport  port-security 

Switch (config-if) #  switchport  port-security  maximum  50 

Switch (config-if ) #  switchport  port-security  mac-address  sticky 

This  example  shows  how  to  configure  a  static  secure  MAC  address  on  VLAN  3  on  a  port: 

Switch (config) #  interface  gigabitethernetO/11 
Switch (config-if ) #  switchport  mode  trunk 
Switch (config-if ) #  switchport  port-security 

Switch (config-if ) #  switchport  port-security  mac-address  0000.02000.0004  vlan  3 

This  example  shows  how  to  enable  sticky  port  security  on  a  port,  to  manually  configure  MAC  addresses 
for  data  VLAN  and  voice  VLAN,  and  to  set  the  total  maximum  number  of  secure  addresses  to  20  (10  for 
data  VLAN  and  10  for  voice  VLAN). 

Switch(conf ig) #  interface  f astethernetO/1 

Switch (config-if ) #  switchport  access  vlan  21 

Switch ( config-if ) #  switchport  mode  access 

Switch ( config-if ) #  switchport  voice  vlan  22 

Switch (config-if ) #  switchport  port-security 

Switch (config-if ) #  switchport  port-security  maximum  20 

Switch (config-if ) #  switchport  port-security  violation  restrict 

Switch (config-if ) #  switchport  port-security  mac-address  sticky 

Switch (config-if ) #  switchport  port-security  mac-address  sticky  0000.0000.0002 
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Switch (config-if ) #  switchport  port-security  mac-address  0000.0000.0003 

Switch (config-if) #  switchport  port-security  mac-address  sticky  0000.0000.0001  vlan  voice 

Switch (config-if ) #  switchport  port-security  mac-address  0000.0000.0004  vlan  voice 

Switch (config-if ) #  switchport  port-security  maximum  10  vlan  access 

Switch (config-if ) #  switchport  port-security  maximum  10  vlan  voice 


Enabling  and  Configuring  Port  Security  Aging 

You  can  use  port  security  aging  to  set  the  aging  time  for  all  secure  addresses  on  a  port.  Two  types  of 
aging  are  supported  per  port: 

•  Absolute — The  secure  addresses  on  the  port  are  deleted  after  the  specified  aging  time. 

•  Inactivity — The  secure  addresses  on  the  port  are  deleted  only  if  the  secure  addresses  are  inactive  for 
the  specified  aging  time. 

Use  this  feature  to  remove  and  add  devices  on  a  secure  port  without  manually  deleting  the  existing  secure 
MAC  addresses  and  to  still  limit  the  number  of  secure  addresses  on  a  port.  You  can  enable  or  disable  the 
aging  of  secure  addresses  on  a  per-port  basis. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  port  security  aging: 


Step  1 
Step  2 

Step  3 


Command 

configure  terminal 


Purpose 

Enter  global  configuration  mode. 


interface  interface-id 


Specify  the  interface  to  be  configured,  and  enter  interface 
configuration  mode. 


Step  4 
Step  5 


switchport  port-security  aging  { static  I  time  time 
type  { absolute  I  inactivity} } 


end 


Enable  or  disable  static  aging  for  the  secure  port,  or  set  the 
aging  time  or  type. 

Note     The  switch  does  not  support  port  security  aging  of 
sticky  secure  addresses. 

Enter  static  to  enable  aging  for  statically  configured  secure 
addresses  on  this  port. 

For  time,  specify  the  aging  time  for  this  port.  The  valid  range 
is  from  0  to  1440  minutes. 

For  type,  select  one  of  these  keywords: 

•  absolute — Sets  the  aging  type  as  absolute  aging.  All  the 
secure  addresses  on  this  port  age  out  exactly  after  the  time 
( minutes)  specified  lapses  and  are  removed  from  the  secure 
address  list. 

•  inactivity — Sets  the  aging  type  as  inactivity  aging.  The 
secure  addresses  on  this  port  age  out  only  if  there  is  no  data 
traffic  from  the  secure  source  addresses  for  the  specified 
time  period. 

Return  to  privileged  EXEC  mode. 


show  port-security  [interface  interface-id] 
[address] 


Verify  your  entries. 


Step  6     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 
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To  disable  port  security  aging  for  all  secure  addresses  on  a  port,  use  the  no  switchport  port-security 
aging  time  interface  configuration  command.  To  disable  aging  for  only  statically  configured  secure 
addresses,  use  the  no  switchport  port-security  aging  static  interface  configuration  command. 

This  example  shows  how  to  set  the  aging  time  as  2  hours  for  the  secure  addresses  on  a  port: 

Switch (config) #  interface  gigabitethernetO/1 

Switch ( config-if ) #  switchport  port-security  aging  time  120 

This  example  shows  how  to  set  the  aging  time  as  2  minutes  for  the  inactivity  aging  type  with  aging 
enabled  for  the  configured  secure  addresses  on  the  interface: 

Switch ( config-if ) #  switchport  port-security  aging  time  2 

Switch ( config-if ) #  switchport  port-security  aging  type  inactivity 

Switch ( config-if ) #  switchport  port-security  aging  static 

You  can  verify  the  previous  commands  by  entering  the  show  port-security  interface  interface-id 
privileged  EXEC  command. 

Displaying  Port-Based  Traffic  Control  Settings 

The  show  interfaces  interface-id  switchport  privileged  EXEC  command  displays  (among  other 
characteristics)  the  interface  traffic  suppression  and  control  configuration.  The  show  storm-control  and 
show  port-security  privileged  EXEC  commands  display  those  storm  control  and  port  security  settings. 

To  display  traffic  control  information,  use  one  or  more  of  the  privileged  EXEC  commands  in  Table  18-4. 


Table  18-4  Commands  for  Displaying  Traffic  Control  Status  and  Configuration 


Command 

Purpose 

show  interfaces  [interface-id]  switchport 

Displays  the  administrative  and  operational  status  of  all  switching 
(nonrouting)  ports  or  the  specified  port,  including  port  blocking  and 
port  protection  settings. 

show  storm-control  [interface-id]  [broadcast  1 
multicast  1  unicast] 

Displays  storm  control  suppression  levels  set  on  all  interfaces  or  the 
specified  interface  for  the  specified  traffic  type  or  for  broadcast  traffic 
if  no  traffic  type  is  entered. 

show  port-security  [interface  interface-id] 

Displays  port  security  settings  for  the  switch  or  for  the  specified 
interface,  including  the  maximum  allowed  number  of  secure  MAC 
addresses  for  each  interface,  the  number  of  secure  MAC  addresses  on 
the  interface,  the  number  of  security  violations  that  have  occurred,  and 
the  violation  mode. 

show  port-security  [interface  interface-id]  address 

Displays  all  secure  MAC  addresses  configured  on  all  switch  interfaces 
or  on  a  specified  interface  with  aging  information  for  each  address. 

show  port-security  interface  interface-id  vlan 

Displays  the  number  of  secure  MAC  addresses  configured  per  VLAN 
on  the  specified  interface. 
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Configuring  CDP 


This  chapter  describes  how  to  configure  Cisco  Discovery  Protocol  (CDP)  on  the  switch. 


Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release  and  the  "System  Management  Commands"  section  in  the  Cisco  IOS 
Configuration  Fundamentals  Command  Reference,  Release  12.2. 

This  chapter  consists  of  these  sections: 

•  Understanding  CDP,  page  19-1 

•  Configuring  CDP,  page  19-2 

•  Monitoring  and  Maintaining  CDP,  page  19-5 

Understanding  CDP 

CDP  is  a  device  discovery  protocol  that  runs  over  Layer  2  (the  data  link  layer)  on  all  Cisco-manufactured 
devices  (routers,  bridges,  access  servers,  and  switches)  and  allows  network  management  applications  to 
discover  Cisco  devices  that  are  neighbors  of  already  known  devices.  With  CDP,  network  management 
applications  can  learn  the  device  type  and  the  Simple  Network  Management  Protocol  (SNMP)  agent 
address  of  neighboring  devices  running  lower-layer,  transparent  protocols.  This  feature  enables 
applications  to  send  SNMP  queries  to  neighboring  devices. 

CDP  runs  on  all  media  that  support  Subnetwork  Access  Protocol  (SNAP).  Because  CDP  runs  over  the 
data-link  layer  only,  two  systems  that  support  different  network-layer  protocols  can  learn  about  each 
other. 

Each  CDP-configured  device  sends  periodic  messages  to  a  multicast  address,  advertising  at  least  one 
address  at  which  it  can  receive  SNMP  messages.  The  advertisements  also  contain  time-to-live,  or 
holdtime  information,  which  is  the  length  of  time  a  receiving  device  holds  CDP  information  before 
discarding  it.  Each  device  also  listens  to  the  messages  sent  by  other  devices  to  learn  about  neighboring 
devices. 

On  the  switch,  CDP  enables  CiscoView  to  display  a  graphical  view  of  the  network.  The  switch  uses  CDP 
to  find  cluster  candidates  and  maintain  information  about  cluster  members  and  other  devices  up  to  three 
cluster-enabled  devices  away  from  the  command  switch  by  default. 

The  switch  supports  CDP  Version  2. 
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Configuring  CDP 

These  sections  contain  this  configuration  information: 

•  Default  CDP  Configuration,  page  19-2 

•  Configuring  the  CDP  Characteristics,  page  19-2 

•  Disabling  and  Enabling  CDP,  page  19-3 

•  Disabling  and  Enabling  CDP  on  an  Interface,  page  19-4 

Default  CDP  Configuration 


Table  19-1  shows  the  default  CDP  configuration. 
Table  19-1         Default  CDP  Configuration 


Feature 

Default  Setting 

CDP  global  state 

Enabled 

CDP  interface  state 

Enabled 

CDP  timer  (packet  update  frequency) 

60  seconds 

CDP  holdtime  (before  discarding) 

180  seconds 

CDP  Version-2  advertisements 

Enabled 

Configuring  the  CDP  Characteristics 

You  can  configure  the  frequency  of  CDP  updates,  the  amount  of  time  to  hold  the  information  before 
discarding  it,  and  whether  or  not  to  send  Version-2  advertisements. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  CDP  timer,  holdtime,  and 
advertisement  type. 

V   

Note      Steps  2  through  4  are  all  optional  and  can  be  performed  in  any  order. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

cdp  timer  seconds 

(Optional)  Set  the  transmission  frequency  of  CDP  updates  in  seconds. 
The  range  is  5  to  254;  the  default  is  60  seconds. 

cdp  holdtime  seconds 

(Optional)  Specify  the  amount  of  time  a  receiving  device  should  hold  the 
information  sent  by  your  device  before  discarding  it. 

The  range  is  10  to  255  seconds;  the  default  is  180  seconds. 

cdp  advertise-v2 

(Optional)  Configure  CDP  to  send  Version-2  advertisements. 
This  is  the  default  state. 

end 

Return  to  privileged  EXEC  mode. 
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Command 

Purpose 

Step  6 

show  cdp 

Verify  your  settings. 

Step  7 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Use  the  no  form  of  the  CDP  commands  to  return  to  the  default  settings. 
This  example  shows  how  to  configure  CDP  characteristics. 

Switch#  configure  terminal 

Switch (config) #  cdp  timer  50 
Switch (config) #  cdp  holdtime  120 
Switch (config) #  cdp  advertise-v2 

Switch (config) #  end 

For  additional  CDP  show  commands,  see  the  "Monitoring  and  Maintaining  CDP"  section  on  page  19-5. 

Disabling  and  Enabling  CDP 

CDP  is  enabled  by  default. 

X   

Note      Switch  clusters  and  other  Cisco  devices  (such  as  Cisco  IP  Phones)  regularly  exchange  CDP  messages. 
Disabling  CDP  can  interrupt  cluster  discovery  and  device  connectivity.  For  more  information,  see 
Chapter  6,  "Clustering  Switches"  and  see  Getting  Started  with  Cisco  Network  Assistant,  available  on 
Cisco.com. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  the  CDP  device  discovery  capability: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

no  cdp  run 

Disable  CDP. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  CDP  when  it  has  been  disabled: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

cdp  run 

Enable  CDP  after  disabling  it. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 

This  example  shows  how  to  enable  CDP  if  it  has  been  disabled. 

Switch#  configure  terminal 

Switch (config) #  cdp  run 
Switch (config) #  end 
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Disabling  and  Enabling  CDP  on  an  Interface 


CDP  is  enabled  by  default  on  all  supported  interfaces  to  send  and  to  receive  CDP  information. 
Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  CDP  on  a  port: 


Step  1 
Step  2 

Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  on  which  you  are  disabling  CDP,  and  enter 
interface  configuration  mode. 

no  cdp  enable 

Disable  CDP  on  the  interface. 

end 

Return  to  privileged  EXEC  mode. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  CDP  on  a  port  when  it  has  been 
disabled: 


Step  1 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  on  which  you  are  enabling  CDP,  and  enter 
interface  configuration  mode. 

cdp  enable 

Enable  CDP  on  the  interface  after  disabling  it. 

end 

Return  to  privileged  EXEC  mode. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

This  example  shows  how  to  enable  CDP  on  a  port  when  it  has  been  disabled. 

Switch*  configure  terminal 

Switch (config) #  interface  gigabitethernetO/1 

Switch (config-if) #  cdp  enable 
Switch (config-if) #  end 
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Monitoring  and  Maintaining  CDP 

To  monitor  and  maintain  CDP  on  your  device,  perform  one  or  more  of  these  tasks,  beginning  in 
privileged  EXEC  mode. 


Command 

Description 

clear  cdp  counters 

Reset  the  traffic  counters  to  zero. 

clear  cdp  table 

Delete  the  CDP  table  of  information  about  neighbors. 

show  cdp 

Display  global  information,  such  as  frequency  of  transmissions  and  the  holdtime 
for  packets  being  sent. 

show  cdp  entry  entry-name 
[protocol  |  version] 

Display  information  about  a  specific  neighbor. 

You  can  enter  an  asterisk       to  Hisnlav  all  CDP  neighbors  or  von  can  enter  the 
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name  of  the  neighbor  about  which  you  want  information. 

Win  pan  al^o  limit  thp  Hi^nlnv  to  information  ahont  thp  ni"otopo1<;  pnahlpH  on  thp 

specified  neighbor  or  information  about  the  version  of  software  running  on  the 
device. 

show  cdp  interface  [interface-id] 

Display  information  about  interfaces  where  CDP  is  enabled. 

You  can  limit  the  display  to  the  interface  about  which  you  want  information. 

show  cdp  neighbors  [interface-id] 
[detail] 

Display  information  about  neighbors,  including  device  type,  interface  type  and 
number,  holdtime  settings,  capabilities,  platform,  and  port  ID. 

You  can  limit  the  display  to  neighbors  of  a  specific  interface  or  expand  the 
display  to  provide  more  detailed  information. 

show  cdp  traffic 

Display  CDP  counters,  including  the  number  of  packets  sent  and  received  and 
checksum  errors. 
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MED 


This  chapter  describes  how  to  configure  the  Link  Layer  Discovery  Protocol  (LLDP)  and  LLDP  Media 
Endpoint  Discovery  (LLDP-MED)  on  the  switch. 

For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release  and  the  "System  Management  Commands"  section  in  the  Cisco  IOS 
Configuration  Fundamentals  Command  Reference,  Release  12.2. 

This  chapter  consists  of  these  sections: 

•  Understanding  LLDP  and  LLDP-MED,  page  20-1 

•  Configuring  LLDP  and  LLDP-MED,  page  20-3 

•  Monitoring  and  Maintaining  LLDP  and  LLDP-MED,  page  20-7 


The  Cisco  Discovery  Protocol  (CDP)  is  a  device  discovery  protocol  that  runs  over  Layer  2  (the  data  link 
layer)  on  all  Cisco-manufactured  devices  (routers,  bridges,  access  servers,  and  switches).  CDP  allows 
network  management  applications  to  automatically  discover  and  learn  about  other  Cisco  devices 
connected  to  the  network. 

To  support  non-Cisco  devices  and  to  allow  for  interoperability  between  other  devices,  the  switch 
supports  the  IEEE  802. 1AB  Link  Layer  Discovery  Protocol  (LLDP).  LLDP  is  a  neighbor  discovery 
protocol  that  is  used  for  network  devices  to  advertise  information  about  themselves  to  other  devices  on 
the  network.  This  protocol  runs  over  the  data-link  layer,  which  allows  two  systems  running  different 
network  layer  protocols  to  learn  about  each  other. 

LLDP  supports  a  set  of  attributes  that  it  uses  to  discover  neighbor  devices.  These  attributes  contain  type, 
length,  and  value  descriptions  and  are  referred  to  as  TLVs.  LLDP  supported  devices  can  use  TLVs  to  receive 
and  send  information  to  their  neighbors.  Details  such  as  configuration  information,  device  capabilities, 
and  device  identity  can  be  advertised  using  this  protocol. 

The  switch  supports  these  basic  management  TLVs.  These  are  mandatory  LLDP  TLVs. 


Understanding  LLDP  and  LLDP-MED 


This  section  contains  this  conceptual  information: 

•  Understanding  LLDP,  page  20-1 

•  Understanding  LLDP-MED,  page  20-2 


Understanding  LLDP 
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•  Port  description  TLV 

•  System  name  TLV 

•  System  description 

•  System  capabilities  TLV 

•  Management  address  TLV 

These  organizationally  specific  LLDP  TLVs  are  also  advertised  to  support  LLDP-MED. 

•  Port  VLAN  ID  TLV  ((IEEE  802. 1  organizationally  specific  TLVs) 

•  MAC/PHY  configuration/status  TLV(IEEE  802.3  organizationally  specific  TLVs) 

%   

Note      A  switch  stack  appears  as  a  single  switch  in  the  network.  Therefore,  LLDP  discovers  the  switch  stack, 
not  the  individual  stack  members. 


Understanding  LLDP-MED 

LLDP  for  Media  Endpoint  Devices  (LLDP-MED)  is  an  extension  to  LLDP  that  operates  between 
endpoint  devices  such  as  IP  phones  and  network  devices  such  as  switches.  It  specifically  provides 
support  for  voice  over  IP  (VoIP)  applications  and  provides  additional  TLVs  for  capabilities  discovery, 
network  policy,  Power  over  Ethernet,  and  inventory  management. 

LLDP-MED  supports  these  TLVs: 

•  LLDP-MED  capabilities  TLV 

Allows  LLDP-MED  endpoints  to  determine  the  capabilities  that  the  connected  device  supports  and 
what  capabilities  the  device  has  enabled. 

•  Network  policy  TLV 

Allows  both  network  connectivity  devices  and  endpoints  to  advertise  VLAN  configurations  and 
associated  Layer  2  and  Layer  3  attributes  for  the  specific  application  on  that  port.  For  example,  the 
switch  can  notify  a  phone  of  the  VLAN  number  that  it  should  use.  The  phone  can  connect  into  any 
switch,  obtain  its  VLAN  number,  and  then  start  communicating  with  the  call  control 

•  Power  management  TLV 

Enables  advanced  power  management  between  LLDP-MED  endpoint  and  network  connectivity 
devices.  Allows  switches  and  phones  to  convey  power  information,  such  as  how  the  device  is 
powered,  power  priority,  and  how  much  power  the  device  needs. 

•  Inventory  management  TLV 

Allows  an  endpoint  to  transmit  detailed  inventory  information  about  itself  to  the  switch,  including 
information  hardware  revision,  firmware  version,  software  version,  serial  number,  manufacturer 
name,  model  name,  and  asset  ID  TLV. 

V   

Note  LLDP  and  LLDP-MED  cannot  operate  simultaneously  in  a  network.  By  default,  a  network  device  sends 
only  LLDP  packets  until  it  receives  LLDP-MED  packets  from  an  endpoint  device.  The  network  device 
then  sends  out  LLDP-MED  packets  until  it  receives  LLDP-only  packets. 
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Configuring  LLDP  and  LLDP-MED 

This  section  contains  this  configuration  information: 

•  Default  LLDP  Configuration,  page  20-3 

•  Configuring  LLDP  Characteristics,  page  20-3 

•  Disabling  and  Enabling  LLDP  Globally,  page  20-4 

•  Disabling  and  Enabling  LLDP  on  an  Interface,  page  20-5 

•  Configuring  LLDP-MED  TLVs,  page  20-6 


Default  LLDP  Configuration 


Table  20-1  shows  the  default  LLDP  configuration.  To  change  the  default  settings,  use  the  LLDP  global 
configuration  and  LLDP  interface  configuration  commands. 

Table  20- 1         Default  LLDP  Configuration 


Feature 

Default  Setting 

LLDP  global  state 

Enabled 

LLDP  holdtime  (before  discarding) 

120  seconds 

LLDP  timer  (packet  update  frequency) 

30  seconds 

LLDP  reinitialization  delay 

2  seconds 

LLDP  tlv-select 

Enabled  to  send  and  receive  all  TLVs. 

LLDP  interface  state 

Enabled 

LLDP  receive 

Enabled 

LLDP  transmit 

Enabled 

LLDP  med-tlv-select 

Enabled  to  send  all  LLDP-MED  TLVs 

Configuring  LLDP  Characteristics 

You  can  configure  the  frequency  of  LLDP  updates,  the  amount  of  time  to  hold  the  information  before 
discarding  it,  and  the  initialization  delay  time.  You  can  also  select  the  LLDP  and  LLDP-MED  TLVs  to 
be  sent  and  received. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  these  characteristics: 

X   

Note      Steps  2  through  5  are  all  optional  and  can  be  performed  in  any  order. 
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Step  1 
Step  2 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

lldp  holdtime  seconds 

(Optional)  Specify  the  amount  of  time  a  receiving  device  should  hold  the 
information  sent  by  your  device  before  discarding  it. 

The  range  is  0  to  65535  seconds;  the  default  is  120  seconds. 

lldp  reinit 

(Optional)  Specify  the  delay  time  in  seconds  for  LLDP  to  initialize  on  any 

ill  LCI  IdLC . 

Tn p  rtinop  i  c  v  tr\  S  cprnnHc  tn p  Hpfii n  1 1  ic  /  Bprntinc 

1 11C  IdllgC  IS  Z,  ID  .J  flCLUllUs,   L11C  ULliLUlL  1?>  Z.  3CL.tJllU.?>. 

lldp  timer  seconds 

(Optional)  Set  the  transmission  frequency  of  LLDP  updates  in  seconds. 
The  range  is  5  to  65534  seconds;  the  default  is  30  seconds. 

lldp  tlv-select 

(Optional)  Specify  the  LLDP  TLVs  to  send  or  receive. 

lldp  med-tlv-select 

(Optional)  Specify  the  LLDP-MED  TLVs  to  send  or  receive. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  6 
Step  7 


Use  the  no  form  of  each  of  the  LLDP  commands  to  return  to  the  default  setting. 
This  example  shows  how  to  configure  LLDP  characteristics. 

Switch#  configure  terminal 
Switch(config) #  lldp  holdtime  120 
Switch (config) #  lldp  reinit  2 
Switch (config) #  lldp  timer  30 

Switch (config) #  end 

For  additional  LLDP  show  commands,  see  the  "Monitoring  and  Maintaining  LLDP  and  LLDP-MED" 
section  on  page  20-7. 


Disabling  and  Enabling  LLDP  Globally 

LLDP  is  enabled  by  default. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  LLDP: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

no  lldp  run 

Disable  LLDP. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  LLDP-MED  when  it  has  been 
disabled: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

lldp  run 

Enable  LLDP. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 
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This  example  shows  how  to  disable  LLDP. 

Switch*  configure  terminal 

Switch (config) #  no  lldp  run 
Switch (config) #  end 

This  example  shows  how  to  enable  LLDP. 

Switch#  configure  terminal 

Switch (config) #  lldp  run 
Switch (config) #  end 


Disabling  and  Enabling  LLDP  on  an  Interface 

LLDP  is  enabled  by  default  on  all  supported  interfaces  to  send  and  to  receive  LLDP  information. 
Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  LLDP  on  an  interface. 


Step  1 
Step  2 

Step  3 
Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  on  which  you  are  disabling  LLDP,  and  enter 
interface  configuration  mode. 

no  lldp  transmit 

No  LLDP  packets  are  sent  on  the  interface. 

no  lldp  receive 

No  LLDP  packets  are  received  on  the  interface. 

end 

Return  to  privileged  EXEC  mode. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  LLDP  on  an  interface  when  it  has  been 
disabled: 


Step  1 
Step  2 

Step  3 
Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  on  which  you  are  enabling  LLDP-MED,  and 
enter  interface  configuration  mode. 

lldp  transmit 

LLDP  packets  are  sent  on  the  interface. 

lldp  receive 

LLDP  packets  are  received  on  the  interface. 

end 

Return  to  privileged  EXEC  mode. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

This  example  shows  how  to  enable  LLDP  on  an  interface. 

Switch*  configure  terminal 

Switch (config) #  interface  GigabitEthernetl/0/1 

Switch (config-if) #  lldp  transmit 
Switch (config-if) #  lldp  receive 

Switch (config-if ) #  end 
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Configuring  LLDP-MED  TLVs 

By  default,  the  switch  only  sends  LLDP  packets  until  it  receives  LLDP-MED  packets  from  the  end 
device.  The  device  continues  to  send  LLDP-MED  packets  until  it  receives  LLDP  packets  only. 

Using  the  lldp  interface  command,  you  can  configure  the  interface  not  to  send  the  following  TLVs: 


Table  20-2         LLDP-MED  TLVs 

LLDP-MED  TLV 

Description 

inventory-management 

LLDP-MED  inventory  management  TLV 

network-policy 

LLDP-MED  network  policy  TLV 

power-management 

LLDP-MED  power  management  TLV 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  a  TLV  on  an  interface: 


Step  1 
Step  2 

Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  on  which  you  are  configuring  a  LLDP-MED 
TLV,  and  enter  interface  configuration  mode. 

no  lldp  med-tlv-select  tlv 

Specify  the  TLV  to  disable. 

end 

Return  to  privileged  EXEC  mode. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  a  TLV  on  an  interface: 


Step  1 
Step  2 

Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  on  which  you  are  configuring  an  LLDP-MED 
TLV,  and  enter  interface  configuration  mode. 

lldp  med-tlv-select  tlv 

Specify  the  TLV  to  enable. 

end 

Return  to  privileged  EXEC  mode. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

This  example  shows  how  to  enable  a  TLV  on  an  interface  when  it  has  been  disabled. 

Switch*  configure  terminal 

Switch (config) #  interface  GigabitEthernetl/0/1 

Switch (config-if) #  lldp  med-tlv-select  inventory  management 

Switch (config-if) #  end 
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Monitoring  and  Maintaining  LLDP  and  LLDP-MED 

To  monitor  and  maintain  LLDP  and  LLDP-MED  on  your  device,  perform  one  or  more  of  these  tasks, 
beginning  in  privileged  EXEC  mode. 


Command 

Description 

clear  lldp  counters 

Reset  the  traffic  counters  to  zero. 

clear  lldp  table 

Delete  the  LLDP  table  of  information  about  neighbors. 

show  lldp 

Display  global  information,  such  as  frequency  of  transmissions,  the  holdtime  for 
packets  being  sent,  and  the  delay  time  for  LLDP  to  initialize  on  an  interface. 

show  lldp  entry  entry-name 

Display  information  about  a  specific  neighbor. 

You  can  enter  an  asterisk  (*)  to  display  all  neighbors,  or  you  can  enter  the  name 
of  the  neighbor  about  which  you  want  information. 

show  lldp  interface  [interface-id] 

Display  information  about  interfaces  where  LLDP  is  enabled. 

You  can  limit  the  display  to  the  interface  about  which  you  want  information. 

show  lldp  neighbors  [interface-id] 
[detail] 

Display  information  about  neighbors,  including  device  type,  interface  type  and 
number,  holdtime  settings,  capabilities,  and  port  ID. 

You  can  limit  the  display  to  neighbors  of  a  specific  interface  or  expand  the  display 
to  provide  more  detailed  information. 

show  lldp  traffic 

Display  LLDP  counters,  including  the  number  of  packets  sent  and  received, 
number  of  packets  discarded,  and  number  of  unrecognized  TLVs. 
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Configuring  UDLD 


This  chapter  describes  how  to  configure  the  UniDirectional  Link  Detection  (UDLD)  protocol  on  the 
switch. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

This  chapter  consists  of  these  sections: 

•  Understanding  UDLD,  page  21-1 

•  Configuring  UDLD,  page  21-3 

•  Displaying  UDLD  Status,  page  21-6 

Understanding  UDLD 

UDLD  is  a  Layer  2  protocol  that  enables  devices  connected  through  fiber-optic  or  twisted-pair  Ethernet 
cables  to  monitor  the  physical  configuration  of  the  cables  and  detect  when  a  unidirectional  link  exists. 
All  connected  devices  must  support  UDLD  for  the  protocol  to  successfully  identify  and  disable 
unidirectional  links.  When  UDLD  detects  a  unidirectional  link,  it  disables  the  affected  port  and  alerts 
you.  Unidirectional  links  can  cause  a  variety  of  problems,  including  spanning-tree  topology  loops. 

Modes  of  Operation 

UDLD  supports  two  modes  of  operation:  normal  (the  default)  and  aggressive.  In  normal  mode,  UDLD 
can  detect  unidirectional  links  due  to  misconnected  ports  on  fiber-optic  connections.  In  aggressive  mode, 
UDLD  can  also  detect  unidirectional  links  due  to  one-way  traffic  on  fiber-optic  and  twisted-pair  links 
and  to  misconnected  ports  on  fiber-optic  links. 

In  normal  and  aggressive  modes,  UDLD  works  with  the  Layer  1  mechanisms  to  learn  the  physical  status 
of  a  link.  At  Layer  1,  autonegotiation  takes  care  of  physical  signaling  and  fault  detection.  UDLD 
performs  tasks  that  autonegotiation  cannot  perform,  such  as  detecting  the  identities  of  neighbors  and 
shutting  down  misconnected  ports.  When  you  enable  both  autonegotiation  and  UDLD,  the  Layer  1  and 
Layer  2  detections  work  together  to  prevent  physical  and  logical  unidirectional  connections  and  the 
malfunctioning  of  other  protocols. 

A  unidirectional  link  occurs  whenever  traffic  sent  by  a  local  device  is  received  by  its  neighbor  but  traffic 
from  the  neighbor  is  not  received  by  the  local  device. 
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In  normal  mode,  UDLD  detects  a  unidirectional  link  when  fiber  strands  in  a  fiber-optic  port  are 
misconnected  and  the  Layer  1  mechanisms  do  not  detect  this  misconnection.  If  the  ports  are  connected 
correctly  but  the  traffic  is  one  way,  UDLD  does  not  detect  the  unidirectional  link  because  the  Layer  1 
mechanism,  which  is  supposed  to  detect  this  condition,  does  not  do  so.  In  this  case,  the  logical  link  is 
considered  undetermined,  and  UDLD  does  not  disable  the  port. 

When  UDLD  is  in  normal  mode,  if  one  of  the  fiber  strands  in  a  pair  is  disconnected  and  autonegotiation 
is  active,  the  link  does  not  stay  up  because  the  Layer  1  mechanisms  did  not  detect  a  physical  problem 
with  the  link.  In  this  case,  UDLD  does  not  take  any  action,  and  the  logical  link  is  considered 
undetermined. 

In  aggressive  mode,  UDLD  detects  a  unidirectional  link  by  using  the  previous  detection  methods.  UDLD 
in  aggressive  mode  can  also  detect  a  unidirectional  link  on  a  point-to-point  link  on  which  no  failure 
between  the  two  devices  is  allowed.  It  can  also  detect  a  unidirectional  link  when  one  of  these  problems 
exists: 

•  On  fiber-optic  or  twisted-pair  links,  one  of  the  ports  cannot  send  or  receive  traffic. 

•  On  fiber-optic  or  twisted-pair  links,  one  of  the  ports  is  down  while  the  other  is  up. 

•  One  of  the  fiber  strands  in  the  cable  is  disconnected. 
In  these  cases,  UDLD  disables  the  affected  port. 

In  a  point-to-point  link,  UDLD  hello  packets  can  be  considered  as  a  heart  beat  whose  presence 
guarantees  the  health  of  the  link.  Conversely,  the  loss  of  the  heart  beat  means  that  the  link  must  be  shut 
down  if  it  is  not  possible  to  re-establish  a  bidirectional  link. 

If  both  fiber  strands  in  a  cable  are  working  normally  from  a  Layer  1  perspective,  UDLD  in  aggressive 
mode  detects  whether  those  fiber  strands  are  connected  correctly  and  whether  traffic  is  flowing 
bidirectionally  between  the  correct  neighbors.  This  check  cannot  be  performed  by  autonegotiation 
because  autonegotiation  operates  at  Layer  1. 

Methods  to  Detect  Unidirectional  Links 

UDLD  operates  by  using  two  mechanisms: 

•  Neighbor  database  maintenance 

UDLD  learns  about  other  UDLD-capable  neighbors  by  periodically  sending  a  hello  packet  (also 
called  an  advertisement  or  probe)  on  every  active  port  to  keep  each  device  informed  about  its 
neighbors. 

When  the  switch  receives  a  hello  message,  it  caches  the  information  until  the  age  time  (hold  time  or 
time-to-live)  expires.  If  the  switch  receives  a  new  hello  message  before  an  older  cache  entry  ages, 
the  switch  replaces  the  older  entry  with  the  new  one. 

Whenever  a  port  is  disabled  and  UDLD  is  running,  whenever  UDLD  is  disabled  on  a  port,  or 
whenever  the  switch  is  reset,  UDLD  clears  all  existing  cache  entries  for  the  ports  affected  by  the 
configuration  change.  UDLD  sends  at  least  one  message  to  inform  the  neighbors  to  flush  the  part  of 
their  caches  affected  by  the  status  change.  The  message  is  intended  to  keep  the  caches  synchronized. 

•  Event-driven  detection  and  echoing 

UDLD  relies  on  echoing  as  its  detection  mechanism.  Whenever  a  UDLD  device  learns  about  a  new 
neighbor  or  receives  a  resynchronization  request  from  an  out-of-sync  neighbor,  it  restarts  the 
detection  window  on  its  side  of  the  connection  and  sends  echo  messages  in  reply.  Because  this 
behavior  is  the  same  on  all  UDLD  neighbors,  the  sender  of  the  echoes  expects  to  receive  an  echo  in 
reply. 
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If  the  detection  window  ends  and  no  valid  reply  message  is  received,  the  link  might  shut  down, 
depending  on  the  UDLD  mode.  When  UDLD  is  in  normal  mode,  the  link  might  be  considered 
undetermined  and  might  not  be  shut  down.  When  UDLD  is  in  aggressive  mode,  the  link  is 
considered  unidirectional,  and  the  port  is  disabled. 

If  UDLD  in  normal  mode  is  in  the  advertisement  or  in  the  detection  phase  and  all  the  neighbor  cache 
entries  are  aged  out,  UDLD  restarts  the  link-up  sequence  to  resynchronize  with  any  potentially 
out-of-sync  neighbors. 

If  you  enable  aggressive  mode  when  all  the  neighbors  of  a  port  have  aged  out  either  in  the  advertisement 
or  in  the  detection  phase,  UDLD  restarts  the  link-up  sequence  to  resynchronize  with  any  potentially 
out-of-sync  neighbor.  UDLD  shuts  down  the  port  if,  after  the  fast  train  of  messages,  the  link  state  is  still 
undetermined. 

Figure  21-1  shows  an  example  of  a  unidirectional  link  condition. 


Figure  21-1 


UDLD  Detection  of  a  Unidirectional  Link 


Switch  A 


Switch  B  successfully 
receives  traffic  from 
Switch  A  on  this  port. 


However,  Switch  A  does  not  receive  traffic 
from  Switch  B  on  the  same  port.  If  UDLD 
is  in  aggressive  mode,  it  detects  the 
problem  and  disables  the  port.  If  UDLD  is 
in  normal  mode,  the  logical  link  is 
considered  undetermined,  and  UDLD 
does  not  disable  the  interface. 


Configuring  UDLD 

These  sections  contain  this  configuration  information: 

•  Default  UDLD  Configuration,  page  21-4 

•  Configuration  Guidelines,  page  21-4 

•  Enabling  UDLD  Globally,  page  21-5 

•  Enabling  UDLD  on  an  Interface,  page  21-5 

•  Resetting  an  Interface  Disabled  by  UDLD,  page  21-6 
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Default  UDLD  Configuration 


Table  21-1  shows  the  default  UDLD  configuration. 
Table  21-1  Default  UDLD  Configuration 


Feature 

Default  Setting 

UDLD  global  enable  state 

Globally  disabled 

UDLD  per-port  enable  state  for  fiber-optic  media 

Disabled  on  all  Ethernet  fiber-optic  ports 

UDLD  per-port  enable  state  for  twisted-pair  (copper)  media 

Disabled  on  all  Ethernet  10/100  and  1000BASE  ports 

UDLD  aggressive  mode 

Disabled 

Configuration  Guidelines 

These  are  the  UDLD  configuration  guidelines: 

•  UDLD  is  not  supported  on  ATM  ports. 

•  A  UDLD-capable  port  cannot  detect  a  unidirectional  link  if  it  is  connected  to  a  UDLD-incapable 
port  of  another  switch. 

•  When  configuring  the  mode  (normal  or  aggressive),  make  sure  that  the  same  mode  is  configured  on 
both  sides  of  the  link. 

A   

Caution      Loop  guard  works  only  on  point-to-point  links.  We  recommend  that  each  end  of  the  link  has  a  directly 
connected  device  that  is  running  STP. 
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Enabling  UDLD  Globally 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  UDLD  in  the  aggressive  or  normal 
mode  and  to  set  the  configurable  message  timer  on  all  fiber-optic  ports  on  the  switch: 


Command 


Purpose 


Step  1 
Step  2 


Step  3 
Step  4 


configure  terminal 


Enter  global  configuration  mode. 


udld  {aggressive  I  enable  I  message  time    Specify  the  UDLD  mode  of  operation: 

messaee-timer-interval}  .        ^    ,  ,     Ttt->t  r->  •  j         u  c-l. 

°  •    aggressive — Enables  UDLD  in  aggressive  mode  on  all  fiber-optic 

ports. 

•  enable — Enables  UDLD  in  normal  mode  on  all  fiber-optic  ports  on 
the  switch.  UDLD  is  disabled  by  default. 

An  individual  interface  configuration  overrides  the  setting  of  the 
udld  enable  global  configuration  command. 

For  more  information  about  aggressive  and  normal  modes,  see  the 
"Modes  of  Operation"  section  on  page  21-1. 

•  message  time  message-timer-interval — Configures  the  period  of 
time  between  UDLD  probe  messages  on  ports  that  are  in  the 
advertisement  phase  and  are  detected  to  be  bidirectional.  The  range 
is  from  1  to  90  seconds. 

Note     This  command  affects  fiber-optic  ports  only.  Use  the  udld 

interface  configuration  command  to  enable  UDLD  on  other  port 
types.  For  more  information,  see  the  "Enabling  UDLD  on  an 
Interface"  section  on  page  21-5. 

end  Return  to  privileged  EXEC  mode. 

show  udld  Verify  your  entries. 


Step  5     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


To  disable  UDLD  globally,  use  the  no  udld  enable  global  configuration  command  to  disable  normal 
mode  UDLD  on  all  fiber-optic  ports.  Use  the  no  udld  aggressive  global  configuration  command  to 
disable  aggressive  mode  UDLD  on  all  fiber-optic  ports. 


Enabling  UDLD  on  an  Interface 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  either  to  enable  UDLD  in  the  aggressive  or 
normal  mode  or  to  disable  UDLD  on  a  port: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  port  to  be  enabled  for  UDLD,  and  enter  interface 

configuration  mode. 
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Step  5 
Step  6 


Command 

Purpose 

udld  port  [aggressive] 

UDLD  is  disabled  by  default. 

•  udld  port — Enables  UDLD  in  normal  mode  on  the  specified  port. 

•  udld  port  aggressive — Enables  UDLD  in  aggressive  mode  on  the 
specified  port. 

Note     Use  the  no  udld  port  interface  configuration  command  to 
disable  UDLD  on  a  specified  fiber-optic  port. 

For  more  information  about  aggressive  and  normal  modes,  see  the 
"Modes  of  Operation"  section  on  page  21-1. 

end 

Return  to  privileged  EXEC  mode. 

show  udld  interface-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Resetting  an  Interface  Disabled  by  UDLD 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  reset  all  ports  disabled  by  UDLD: 


Command 

Purpose 

Step  1 

udld  reset 

Reset  all  ports  disabled  by  UDLD. 

Step  2 

show  udld 

Verify  your  entries. 

You  can  also  bring  up  the  port  by  using  these  commands: 

•  The  shutdown  interface  configuration  command  followed  by  the  no  shutdown  interface 
configuration  command  restarts  the  disabled  port. 

•  The  no  udld  {aggressive  I  enable)  global  configuration  command  followed  by  the  udld 
{aggressive  I  enable)  global  configuration  command  re-enables  the  disabled  ports. 

•  The  no  udld  port  interface  configuration  command  followed  by  the  udld  port  [aggressive] 

interface  configuration  command  re-enables  the  disabled  fiber-optic  port. 

•  The  errdisable  recovery  cause  udld  global  configuration  command  enables  the  timer  to 
automatically  recover  from  the  UDLD  error-disabled  state,  and  the  errdisable  recovery  interval 
interval  global  configuration  command  specifies  the  time  to  recover  from  the  UDLD  error-disabled 
state. 


Displaying  UDLD  Status 

To  display  the  UDLD  status  for  the  specified  port  or  for  all  ports,  use  the  show  udld  [interface-id] 
privileged  EXEC  command. 

For  detailed  information  about  the  fields  in  the  command  output,  see  the  command  reference  for  this 
release. 
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Configuring  SPAN  and  RSPAN 


This  chapter  describes  how  to  configure  Switched  Port  Analyzer  (SPAN)  and  Remote  SPAN  (RSPAN) 
on  the  switch. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

This  chapter  consists  of  these  sections: 

•  Understanding  SPAN  and  RSPAN,  page  22-1 

•  Configuring  SPAN  and  RSPAN,  page  22-9 

•  Displaying  SPAN  and  RSPAN  Status,  page  22-23 

Understanding  SPAN  and  RSPAN 

You  can  analyze  network  traffic  passing  through  ports  or  VLANs  by  using  SPAN  or  RSPAN  to  send  a 
copy  of  the  traffic  to  another  port  on  the  switch  or  on  another  switch  that  has  been  connected  to  a  network 
analyzer  or  other  monitoring  or  security  device.  SPAN  copies  (or  mirrors)  traffic  received  or  sent  (or 
both)  on  source  ports  or  source  VLANs  to  a  destination  port  for  analysis.  SPAN  does  not  affect  the 
switching  of  network  traffic  on  the  source  ports  or  VLANs.  You  must  dedicate  the  destination  port  for 
SPAN  use.  Except  for  traffic  that  is  required  for  the  SPAN  or  RSPAN  session,  destination  ports  do  not 
receive  or  forward  traffic. 

Only  traffic  that  enters  or  leaves  source  ports  or  traffic  that  enters  or  leaves  source  VLANs  can  be 
monitored  by  using  SPAN;  traffic  routed  to  a  source  VLAN  cannot  be  monitored.  For  example,  if 
incoming  traffic  is  being  monitored,  traffic  that  gets  routed  from  another  VLAN  to  the  source  VLAN 
cannot  be  monitored;  however,  traffic  that  is  received  on  the  source  VLAN  and  routed  to  another  VLAN 
can  be  monitored. 

You  can  use  the  SPAN  or  RSPAN  destination  port  to  inject  traffic  from  a  network  security  device.  For 
example,  if  you  connect  a  Cisco  Intrusion  Detection  System  (IDS)  sensor  appliance  to  a  destination  port, 
the  IDS  device  can  send  TCP  reset  packets  to  close  down  the  TCP  session  of  a  suspected  attacker. 
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These  sections  contain  this  conceptual  information: 

•  Local  SPAN,  page  22-2 

•  Remote  SPAN,  page  22-2 

•  SPAN  and  RSPAN  Concepts  and  Terminology,  page  22-3 

•  SPAN  and  RSPAN  Interaction  with  Other  Features,  page  22-8 

Local  SPAN 

Local  SPAN  supports  a  SPAN  session  entirely  within  one  switch;  all  source  ports  or  source  VLANs  and 
destination  ports  are  in  the  same  switch.  Local  SPAN  copies  traffic  from  one  or  more  source  ports  in  any 
VLAN  or  from  one  or  more  VLANs  to  a  destination  port  for  analysis.  For  example,  in  Figure  22-1,  all 
traffic  on  port  5  (the  source  port)  is  mirrored  to  port  17  (the  destination  port).  A  network  analyzer  on 
port  17  receives  all  network  traffic  from  port  5  without  being  physically  attached  to  port  5. 


Figure  22- 1         Example  of  Local  SPAN  Configuration  on  a  Single  Switch 


Network  analyzer 


Remote  SPAN 

RSPAN  supports  source  ports,  source  VLANs,  and  destination  ports  on  different  switches,  enabling 
remote  monitoring  of  multiple  switches  across  your  network.  Figure  22-2  shows  source  ports  on  Switch 
A  and  Switch  B.  The  traffic  for  each  RSPAN  session  is  carried  over  a  user-specified  RSPAN  VLAN  that 
is  dedicated  for  that  RSPAN  session  in  all  participating  switches.  The  RSPAN  traffic  from  the  source 
ports  or  VLANs  is  copied  into  the  RSPAN  VLAN  and  forwarded  over  trunk  ports  carrying  the  RSPAN 
VLAN  to  a  destination  session  monitoring  the  RSPAN  VLAN.  Each  RSPAN  source  switch  must  have 
either  ports  or  VLANs  as  RSPAN  sources.  The  destination  is  always  a  physical  port,  as  shown  on  Switch 
C  in  the  figure. 
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Figure  22-2        Example  of  RSPAN  Configuration 


RSPAN 
destination  ports 


RSPAN 
source 
session  B 


RSPAN  RSPAN 
source  ports  source  ports 


SPAN  and  RSPAN  Concepts  and  Terminology 

This  section  describes  concepts  and  terminology  associated  with  SPAN  and  RSPAN  configuration. 

SPAN  Sessions 

SPAN  sessions  (local  or  remote)  allow  you  to  monitor  traffic  on  one  or  more  ports,  or  one  or  more 
VLANs,  and  send  the  monitored  traffic  to  one  or  more  destination  ports. 

A  local  SPAN  session  is  an  association  of  a  destination  port  with  source  ports  or  source  VLANs,  all  on 
a  single  network  device.  Local  SPAN  does  not  have  separate  source  and  destination  sessions.  Local 
SPAN  sessions  gather  a  set  of  ingress  and  egress  packets  specified  by  the  user  and  form  them  into  a 
stream  of  SPAN  data,  which  is  directed  to  the  destination  port. 

RSPAN  consists  of  at  least  one  RSPAN  source  session,  an  RSPAN  VLAN,  and  at  least  one  RSPAN 
destination  session.  You  separately  configure  RSPAN  source  sessions  and  RSPAN  destination  sessions 
on  different  network  devices.  To  configure  an  RSPAN  source  session  on  a  device,  you  associate  a  set  of 
source  ports  or  source  VLANs  with  an  RSPAN  VLAN.  The  output  of  this  session  is  the  stream  of  SPAN 
packets  that  are  sent  to  the  RSPAN  VLAN.  To  configure  an  RSPAN  destination  session  on  another 
device,  you  associate  the  destination  port  with  the  RSPAN  VLAN.  The  destination  session  collects  all 
RSPAN  VLAN  traffic  and  sends  it  out  the  RSPAN  destination  port. 
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An  RSPAN  source  session  is  very  similar  to  a  local  SPAN  session,  except  for  where  the  packet  stream 
is  directed.  In  an  RSPAN  source  session,  SPAN  packets  are  relabeled  with  the  RSPAN  VLAN  ID  and 
directed  over  normal  trunk  ports  to  the  destination  switch. 

An  RSPAN  destination  session  takes  all  packets  received  on  the  RSPAN  VLAN,  strips  off  the  VLAN 
tagging,  and  presents  them  on  the  destination  port.  Its  purpose  is  to  present  a  copy  of  all  RSPAN  VLAN 
packets  (except  Layer  2  control  packets)  to  the  user  for  analysis. 

There  can  be  more  than  one  source  session  and  more  than  one  destination  session  active  in  the  same 
RSPAN  VLAN.  There  can  also  be  intermediate  switches  separating  the  RSPAN  source  and  destination 
sessions.  These  switches  need  not  be  capable  of  running  RSPAN,  but  they  must  respond  to  the 
requirements  of  the  RSPAN  VLAN  (see  the  "RSPAN  VLAN"  section  on  page  22-7). 

Traffic  monitoring  in  a  SPAN  session  has  these  restrictions: 

•  Sources  can  be  ports  or  VLANs,  but  you  cannot  mix  source  ports  and  source  VLANs  in  the  same 
session. 

•  The  switch  supports  up  to  two  source  sessions  (local  SPAN  and  RSPAN  source  sessions).  You  can 
run  both  a  local  SPAN  and  an  RSPAN  source  session  in  the  same  switch.  The  switch  supports  a  total 
of  66  source  and  RSPAN  destination  sessions. 

•  You  can  have  multiple  destination  ports  in  a  SPAN  session,  but  no  more  than  64  destination  ports. 

•  You  can  configure  two  separate  SPAN  or  RSPAN  source  sessions  with  separate  or  overlapping  sets 
of  SPAN  source  ports  and  VLANs. 

•  SPAN  sessions  do  not  interfere  with  the  normal  operation  of  the  switch.  However,  an 
oversubscribed  SPAN  destination,  for  example,  a  10-Mb/s  port  monitoring  a  100-Mb/s  port,  can 
result  in  dropped  or  lost  packets. 

•  When  RSPAN  is  enabled,  each  packet  being  monitored  is  transmitted  twice,  once  as  normal  traffic 
and  once  as  a  monitored  packet.  Therefore  monitoring  a  large  number  of  ports  or  VLANs  could 
potentially  generate  large  amounts  of  network  traffic. 

•  You  can  configure  SPAN  sessions  on  disabled  ports;  however,  a  SPAN  session  does  not  become 
active  unless  you  enable  the  destination  port  and  at  least  one  source  port  or  VLAN  for  that  session. 

•  The  switch  does  not  support  a  combination  of  local  SPAN  and  RSPAN  in  a  single  session.  That  is, 
an  RSPAN  source  session  cannot  have  a  local  destination  port,  an  RSPAN  destination  session 
cannot  have  a  local  source  port,  and  an  RSPAN  destination  session  and  an  RSPAN  source  session 
that  are  using  the  same  RSPAN  VLAN  cannot  run  on  the  same  switch. 

Monitored  Traffic 

SPAN  sessions  can  monitor  these  traffic  types: 

•  Receive  (Rx)  SPAN — The  goal  of  receive  (or  ingress)  SPAN  is  to  monitor  as  much  as  possible  all 
the  packets  received  by  the  source  interface  or  VLAN  before  any  modification  or  processing  is 
performed  by  the  switch.  A  copy  of  each  packet  received  by  the  source  is  sent  to  the  destination  port 
for  that  SPAN  session. 

Packets  that  are  modified  because  of  routing  or  quality  of  service  (QoS) — for  example,  modified 
Differentiated  Services  Code  Point  (DSCP) — are  copied  before  modification. 

Features  that  can  cause  a  packet  to  be  dropped  during  receive  processing  have  no  effect  on  ingress 
SPAN;  the  destination  port  receives  a  copy  of  the  packet  even  if  the  actual  incoming  packet  is 
dropped.  These  features  include  IP  standard  and  extended  input  access  control  lists  (ACLs),  ingress 
QoS  policing,  VLAN  ACLs,  and  egress  QoS  policing. 
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•  Transmit  (Tx)  SPAN — The  goal  of  transmit  (or  egress)  SPAN  is  to  monitor  as  much  as  possible  all 
the  packets  sent  by  the  source  interface  after  all  modification  and  processing  is  performed  by  the 
switch.  A  copy  of  each  packet  sent  by  the  source  is  sent  to  the  destination  port  for  that  SPAN  session. 
The  copy  is  provided  after  the  packet  is  modified. 

Features  that  can  cause  a  packet  to  be  dropped  during  transmit  processing  also  affect  the  duplicated 
copy  for  SPAN.  These  features  include  IP  standard  and  extended  output  ACLs  and  egress  QoS 
policing. 

•  Both — In  a  SPAN  session,  you  can  also  monitor  a  port  or  VLAN  for  both  received  and  sent  packets. 
This  is  the  default. 

The  default  configuration  for  local  SPAN  session  ports  is  to  send  all  packets  untagged.  SPAN  also  does 
not  normally  monitor  bridge  protocol  data  unit  (BPDU)  packets  and  Layer  2  protocols,  such  as  Cisco 
Discovery  Protocol  (CDP),  VLAN  Trunk  Protocol  (VTP),  Dynamic  Trunking  Protocol  (DTP),  Spanning 
Tree  Protocol  (STP),  and  Port  Aggregation  Protocol  (PAgP).  However,  when  you  enter  the 
encapsulation  replicate  keywords  when  configuring  a  destination  port,  these  changes  occur: 

•  Packets  are  sent  on  the  destination  port  with  the  same  encapsulation — untagged,  Inter-Switch  Link 
(ISL),  or  IEEE  802. 1Q— that  they  had  on  the  source  port. 

•  Packets  of  all  types,  including  BPDU  and  Layer  2  protocol  packets,  are  monitored. 

Therefore,  a  local  SPAN  session  with  encapsulation  replicate  enabled  can  have  a  mixture  of  untagged, 
ISL,  and  IEEE  802. 1Q  tagged  packets  appear  on  the  destination  port. 

Switch  congestion  can  cause  packets  to  be  dropped  at  ingress  source  ports,  egress  source  ports,  or  SPAN 
destination  ports.  In  general,  these  characteristics  are  independent  of  one  another.  For  example: 

•  A  packet  might  be  forwarded  normally  but  dropped  from  monitoring  due  to  an  oversubscribed 
SPAN  destination  port. 

•  An  ingress  packet  might  be  dropped  from  normal  forwarding,  but  still  appear  on  the  SPAN 
destination  port. 

•  An  egress  packet  dropped  because  of  switch  congestion  is  also  dropped  from  egress  SPAN. 

In  some  SPAN  configurations,  multiple  copies  of  the  same  source  packet  are  sent  to  the  SPAN 
destination  port.  For  example,  a  bidirectional  (both  Rx  and  Tx)  SPAN  session  is  configured  for  the  Rx 
monitor  on  port  A  and  Tx  monitor  on  port  B.  If  a  packet  enters  the  switch  through  port  A  and  is  switched 
to  port  B,  both  incoming  and  outgoing  packets  are  sent  to  the  destination  port.  Both  packets  are  the  same. 

Source  Ports 

A  source  port  (also  called  a  monitored  port)  is  a  switched  port  that  you  monitor  for  network  traffic 
analysis.  In  a  local  SPAN  session  or  RSPAN  source  session,  you  can  monitor  source  ports  or  VLANs 
for  traffic  in  one  or  both  directions.  The  switch  supports  any  number  of  source  ports  (up  to  the  maximum 
number  of  available  ports  on  the  switch)  and  any  number  of  source  VLANs  (up  to  the  maximum  number 
of  VLANs  supported).  However,  the  switch  supports  a  maximum  of  two  sessions  (local  or  RSPAN)  with 
source  ports  or  VLANs,  and  you  cannot  mix  ports  and  VLANs  in  a  single  session. 

A  source  port  has  these  characteristics: 

•  It  can  be  monitored  in  multiple  SPAN  sessions. 

•  Each  source  port  can  be  configured  with  a  direction  (ingress,  egress,  or  both)  to  monitor. 

•  It  can  be  any  port  type  (for  example,  EtherChannel,  Gigabit  Ethernet,  and  so  forth). 

•  For  EtherChannel  sources,  you  can  monitor  traffic  for  the  entire  EtherChannel  or  individually  on  a 
physical  port  as  it  participates  in  the  port  channel. 
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•  It  can  be  an  access  port,  trunk  port,  or  voice  VLAN  port. 

•  It  cannot  be  a  destination  port. 

•  Source  ports  can  be  in  the  same  or  different  VLANs. 

•  You  can  monitor  multiple  source  ports  in  a  single  session. 

Source  VLANs 

VLAN-based  SPAN  (VSPAN)  is  the  monitoring  of  the  network  traffic  in  one  or  more  VLANs.  The 
SPAN  or  RSPAN  source  interface  in  VSPAN  is  a  VLAN  ID,  and  traffic  is  monitored  on  all  the  ports  for 
that  VLAN. 

VSPAN  has  these  characteristics: 

•  All  active  ports  in  the  source  VLAN  are  included  as  source  ports  and  can  be  monitored  in  either  or 
both  directions. 

•  On  a  given  port,  only  traffic  on  the  monitored  VLAN  is  sent  to  the  destination  port. 

•  If  a  destination  port  belongs  to  a  source  VLAN,  it  is  excluded  from  the  source  list  and  is  not 
monitored. 

•  If  ports  are  added  to  or  removed  from  the  source  VLANs,  the  traffic  on  the  source  VLAN  received 
by  those  ports  is  added  to  or  removed  from  the  sources  being  monitored. 

•  You  cannot  use  filter  VLANs  in  the  same  session  with  VLAN  sources. 

•  You  can  monitor  only  Ethernet  VLANs. 

VLAN  Filtering 

When  you  monitor  a  trunk  port  as  a  source  port,  by  default,  all  VLANs  active  on  the  trunk  are  monitored. 
You  can  limit  SPAN  traffic  monitoring  on  trunk  source  ports  to  specific  VLANs  by  using  VLAN 
filtering. 

•  VLAN  filtering  applies  only  to  trunk  ports  or  to  voice  VLAN  ports. 

•  VLAN  filtering  applies  only  to  port-based  sessions  and  is  not  allowed  in  sessions  with  VLAN 
sources. 

•  When  a  VLAN  filter  list  is  specified,  only  those  VLANs  in  the  list  are  monitored  on  trunk  ports  or 
on  voice  VLAN  access  ports. 

•  SPAN  traffic  coming  from  other  port  types  is  not  affected  by  VLAN  filtering;  that  is,  all  VLANs  are 
allowed  on  other  ports. 

•  VLAN  filtering  affects  only  traffic  forwarded  to  the  destination  SPAN  port  and  does  not  affect  the 
switching  of  normal  traffic. 

Destination  Port 

Each  local  SPAN  session  or  RSPAN  destination  session  must  have  a  destination  port  (also  called  a 
monitoring  port)  that  receives  a  copy  of  traffic  from  the  source  ports  or  VLANs  and  sends  the  SPAN 
packets  to  the  user,  usually  a  network  analyzer. 


22-6 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  22    Configuring  SPAN  and  RSPAN 


Understanding  SPAN  and  RSPAN  ■ 


A  destination  port  has  these  characteristics: 

•  For  a  local  SPAN  session,  the  destination  port  must  reside  on  the  same  switch  as  the  source  port. 
For  an  RSPAN  session,  it  is  located  on  the  switch  containing  the  RSPAN  destination  session.  There 
is  no  destination  port  on  a  switch  running  only  an  RSPAN  source  session. 

•  When  a  port  is  configured  as  a  SPAN  destination  port,  the  configuration  overwrites  the  original  port 
configuration.  When  the  SPAN  destination  configuration  is  removed,  the  port  reverts  to  its  previous 
configuration.  If  a  configuration  change  is  made  to  the  port  while  it  is  acting  as  a  SPAN  destination 
port,  the  change  does  not  take  effect  until  the  SPAN  destination  configuration  had  been  removed. 

•  If  the  port  was  in  an  EtherChannel  group,  it  is  removed  from  the  group  while  it  is  a  destination  port. 

•  It  can  be  any  Ethernet  physical  port. 

•  It  cannot  be  a  secure  port. 

•  It  cannot  be  a  source  port. 

•  It  cannot  be  an  EtherChannel  group  or  a  VLAN. 

•  It  can  participate  in  only  one  SPAN  session  at  a  time  (a  destination  port  in  one  SPAN  session  cannot 
be  a  destination  port  for  a  second  SPAN  session). 

•  When  it  is  active,  incoming  traffic  is  disabled.  The  port  does  not  transmit  any  traffic  except  that 
required  for  the  SPAN  session.  Incoming  traffic  is  never  learned  or  forwarded  on  a  destination  port. 

•  If  ingress  traffic  forwarding  is  enabled  for  a  network  security  device,  the  destination  port  forwards 
traffic  at  Layer  2. 

•  It  does  not  participate  in  any  of  the  Layer  2  protocols  (STP,  VTP,  CDP,  DTP,  PagP). 

•  A  destination  port  that  belongs  to  a  source  VLAN  of  any  SPAN  session  is  excluded  from  the  source 
list  and  is  not  monitored. 

•  The  maximum  number  of  destination  ports  in  a  switch  is  64. 

Local  SPAN  and  RSPAN  destination  ports  behave  differently  regarding  VLAN  tagging  and 
encapsulation: 

•  For  local  SPAN,  if  the  encapsulation  replicate  keywords  are  specified  for  the  destination  port, 
these  packets  appear  with  the  original  encapsulation  (untagged,  ISL,  or  IEEE  802. 1Q).  If  these 
keywords  are  not  specified,  packets  appear  in  the  untagged  format.  Therefore,  the  output  of  a  local 
SPAN  session  with  encapsulation  replicate  enabled  can  contain  a  mixture  of  untagged,  ISL,  or 
IEEE  802.1Q-tagged  packets. 

•  For  RSPAN,  the  original  VLAN  ID  is  lost  because  it  is  overwritten  by  the  RSPAN  VLAN 
identification.  Therefore,  all  packets  appear  on  the  destination  port  as  untagged. 

RSPAN  VLAN 

The  RSPAN  VLAN  carries  SPAN  traffic  between  RSPAN  source  and  destination  sessions.  It  has  these 
special  characteristics: 

•  All  traffic  in  the  RSPAN  VLAN  is  always  flooded. 

•  No  MAC  address  learning  occurs  on  the  RSPAN  VLAN. 

•  RSPAN  VLAN  traffic  only  flows  on  trunk  ports. 

•  RSPAN  VLANs  must  be  configured  in  VLAN  configuration  mode  by  using  the  remote-span  VLAN 
configuration  mode  command. 

•  STP  can  run  on  RSPAN  VLAN  trunks  but  not  on  SPAN  destination  ports. 
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For  VLANs  1  to  1005  that  are  visible  to  VLAN  Trunking  Protocol  (VTP),  the  VLAN  ID  and  its 
associated  RSPAN  characteristic  are  propagated  by  VTP.  If  you  assign  an  RSPAN  VLAN  ID  in  the 
extended  VLAN  range  (1006  to  4094),  you  must  manually  configure  all  intermediate  switches. 

It  is  normal  to  have  multiple  RSPAN  VLANs  in  a  network  at  the  same  time  with  each  RSPAN  VLAN 
defining  a  network-wide  RSPAN  session.  That  is,  multiple  RSPAN  source  sessions  anywhere  in  the 
network  can  contribute  packets  to  the  RSPAN  session.  It  is  also  possible  to  have  multiple  RSPAN 
destination  sessions  throughout  the  network,  monitoring  the  same  RSPAN  VLAN  and  presenting  traffic 
to  the  user.  The  RSPAN  VLAN  ID  separates  the  sessions. 

SPAN  and  RSPAN  Interaction  with  Other  Features 

SPAN  interacts  with  these  features: 

•  STP — A  destination  port  does  not  participate  in  STP  while  its  SPAN  or  RSPAN  session  is  active. 
The  destination  port  can  participate  in  STP  after  the  SPAN  or  RSPAN  session  is  disabled.  On  a 
source  port,  SPAN  does  not  affect  the  STP  status.  STP  can  be  active  on  trunk  ports  carrying  an 
RSPAN  VLAN. 

•  CDP — A  SPAN  destination  port  does  not  participate  in  CDP  while  the  SPAN  session  is  active.  After 
the  SPAN  session  is  disabled,  the  port  again  participates  in  CDP. 

•  VTP — You  can  use  VTP  to  prune  an  RSPAN  VLAN  between  switches. 

•  VLAN  and  trunking — You  can  modify  VLAN  membership  or  trunk  settings  for  source  or 
destination  ports  at  any  time.  However,  changes  in  VLAN  membership  or  trunk  settings  for  a 
destination  port  do  not  take  effect  until  you  remove  the  SPAN  destination  configuration.  Changes 
in  VLAN  membership  or  trunk  settings  for  a  source  port  immediately  take  effect,  and  the  respective 
SPAN  sessions  automatically  adjust  accordingly. 

•  EtherChannel — You  can  configure  an  EtherChannel  group  as  a  source  port  but  not  as  a  SPAN 
destination  port.  When  a  group  is  configured  as  a  SPAN  source,  the  entire  group  is  monitored. 

If  a  physical  port  is  added  to  a  monitored  EtherChannel  group,  the  new  port  is  added  to  the  SPAN 
source  port  list.  If  a  port  is  removed  from  a  monitored  EtherChannel  group,  it  is  automatically 
removed  from  the  source  port  list. 

A  physical  port  that  belongs  to  an  EtherChannel  group  can  be  configured  as  a  SPAN  source  port  and 
still  be  a  part  of  the  EtherChannel.  In  this  case,  data  from  the  physical  port  is  monitored  as  it 
participates  in  the  EtherChannel.  However,  if  a  physical  port  that  belongs  to  an  EtherChannel  group 
is  configured  as  a  SPAN  destination,  it  is  removed  from  the  group.  After  the  port  is  removed  from 
the  SPAN  session,  it  rejoins  the  EtherChannel  group.  Ports  removed  from  an  EtherChannel  group 
remain  members  of  the  group,  but  they  are  in  the  inactive  or  suspended  state. 

If  a  physical  port  that  belongs  to  an  EtherChannel  group  is  a  destination  port  and  the  EtherChannel 
group  is  a  source,  the  port  is  removed  from  the  EtherChannel  group  and  from  the  list  of  monitored 
ports. 

•  Multicast  traffic  can  be  monitored.  For  egress  and  ingress  port  monitoring,  only  a  single  unedited 
packet  is  sent  to  the  SPAN  destination  port.  It  does  not  reflect  the  number  of  times  the  multicast 
packet  is  sent. 
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•  A  secure  port  cannot  be  a  SPAN  destination  port. 

For  SPAN  sessions,  do  not  enable  port  security  on  ports  with  monitored  egress  when  ingress 
forwarding  is  enabled  on  the  destination  port.  For  RSPAN  source  sessions,  do  not  enable  port 
security  on  any  ports  with  monitored  egress. 

•  An  IEEE  802. lx  port  can  be  a  SPAN  source  port.  You  can  enable  IEEE  802. lx  on  a  port  that  is  a 
SPAN  destination  port;  however,  IEEE  802. lx  is  disabled  until  the  port  is  removed  as  a  SPAN 
destination. 

For  SPAN  sessions,  do  not  enable  IEEE  802. lx  on  ports  with  monitored  egress  when  ingress 
forwarding  is  enabled  on  the  destination  port.  For  RSPAN  source  sessions,  do  not  enable 
IEEE  802.  lx  on  any  ports  that  are  egress  monitored. 

Configuring  SPAN  and  RSPAN 

These  sections  contain  this  configuration  information: 

•  Default  SPAN  and  RSPAN  Configuration,  page  22-9 

•  Configuring  Local  SPAN,  page  22-9 

•  Configuring  RSPAN,  page  22-15 

Default  SPAN  and  RSPAN  Configuration 


Table  22-1  shows  the  default  SPAN  and  RSPAN  configuration. 
Table  22- 1         Default  SPAN  and  RSPAN  Configuration 


Feature 

Default  Setting 

SPAN  state  (SPAN  and  RSPAN) 

Disabled. 

Source  port  traffic  to  monitor 

Both  received  and  sent  traffic  (both). 

Encapsulation  type  (destination  port) 

Native  form  (untagged  packets). 

Ingress  forwarding  (destination  port) 

Disabled 

VLAN  filtering 

On  a  trunk  interface  used  as  a  source  port,  all  VLANs  are 
monitored. 

RSPAN  VLANs 

None  configured. 

Configuring  Local  SPAN 

These  sections  contain  this  configuration  information: 

•  SPAN  Configuration  Guidelines,  page  22-10 

•  Creating  a  Local  SPAN  Session,  page  22-10 

•  Creating  a  Local  SPAN  Session  and  Configuring  Incoming  Traffic,  page  22-13 

•  Specifying  VLANs  to  Filter,  page  22-14 
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SPAN  Configuration  Guidelines 

Follow  these  guidelines  when  configuring  SPAN: 

•  For  SPAN  sources,  you  can  monitor  traffic  for  a  single  port  or  VLAN  or  a  series  or  range  of  ports 
or  VLANs  for  each  session.  You  cannot  mix  source  ports  and  source  VLANs  within  a  single  SPAN 
session. 

•  The  destination  port  cannot  be  a  source  port;  a  source  port  cannot  be  a  destination  port. 

•  You  cannot  have  two  SPAN  sessions  using  the  same  destination  port. 

•  When  you  configure  a  switch  port  as  a  SPAN  destination  port,  it  is  no  longer  a  normal  switch  port; 
only  monitored  traffic  passes  through  the  SPAN  destination  port. 

•  Entering  SPAN  configuration  commands  does  not  remove  previously  configured  SPAN  parameters. 
You  must  enter  the  no  monitor  session  {session_number  I  all  I  local  I  remote}  global  configuration 
command  to  delete  configured  SPAN  parameters. 

•  For  local  SPAN,  outgoing  packets  through  the  SPAN  destination  port  carry  the  original 
encapsulation  headers — untagged,  ISL,  or  IEEE  802. 1Q — if  the  encapsulation  replicate  keywords 
are  specified.  If  the  keywords  are  not  specified,  the  packets  are  sent  in  native  form.  For  RSPAN 
destination  ports,  outgoing  packets  are  not  tagged. 

•  You  can  configure  a  disabled  port  to  be  a  source  or  destination  port,  but  the  SPAN  function  does  not 
start  until  the  destination  port  and  at  least  one  source  port  or  source  VLAN  are  enabled. 

•  You  can  limit  SPAN  traffic  to  specific  VLANs  by  using  the  filter  vlan  keyword.  If  a  trunk  port  is 
being  monitored,  only  traffic  on  the  VLANs  specified  with  this  keyword  is  monitored.  By  default, 
all  VLANs  are  monitored  on  a  trunk  port. 

•  You  cannot  mix  source  VLANs  and  filter  VLANs  within  a  single  SPAN  session. 

•  Egress  SPAN  routed  packets  (both  unicast  and  multicast)  show  the  incorrect  source  MAC  address. 
For  local  SPAN  packets  with  native  encapsulation  on  the  destination  port,  the  packet  shows  the  MAC 
address  of  VLAN  1 .  This  problem  does  not  appear  with  local  SPAN  when  the  encapsulation  replicate 
option  is  used.  This  limitation  does  not  apply  to  bridged  packets.  The  workaround  is  to  use  the 
encapsulate  replicate  keywords  in  the  monitor  session  global  configuration  command. 


Creating  a  Local  SPAN  Session 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  a  SPAN  session  and  specify  the  source 
(monitored)  ports  or  VLANs  and  the  destination  (monitoring)  ports: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

no  monitor  session  {session_number  I  all  I 
local  I  remote } 

Remove  any  existing  SPAN  configuration  for  the  session. 
For  session_number,  the  range  is  1  to  66. 

Specify  all  to  remove  all  SPAN  sessions,  local  to  remove  all  local 
sessions,  or  remote  to  remove  all  remote  SPAN  sessions. 
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Command 


Purpose 


Step  3     monitor  session  session _number  source 

{interface  interface-id  I  vlan  vlan-id)  [,  I  -] 
[both  I  rx  I  tx] 


Step  4     monitor  session  session_number 

destination  {interface  interface-id  [, 
[encapsulation  replicate]} 


I-] 


Step  5  end 


Specify  the  SPAN  session  and  the  source  port  (monitored  port). 
For  session_number,  the  range  is  1  to  66. 

For  interface-id,  specify  the  source  port  or  source  VLAN  to  monitor. 

•  For  source  interface-id,  specify  the  source  port  to  monitor.  Valid 
interfaces  include  physical  interfaces  and  port-channel  logical 
interfaces  (port-channel  port-channel-number).  Valid 
port-channel  numbers  are  1  to  48. 

•  For  vlan-id,  specify  the  source  VLAN  to  monitor.  The  range  is  1 
to  4094  (excluding  the  RSPAN  VLAN). 

Note     A  single  session  can  include  multiple  sources  (ports  or 

VLANs),  defined  in  a  series  of  commands,  but  you  cannot 
combine  source  ports  and  source  VLANs  in  one  session. 

(Optional)  [,  I  -]  Specify  a  series  or  range  of  interfaces.  Enter  a  space 
before  and  after  the  comma;  enter  a  space  before  and  after  the 
hyphen. 

(Optional)  Specify  the  direction  of  traffic  to  monitor.  If  you  do  not 
specify  a  traffic  direction,  the  SPAN  monitors  both  sent  and  received 
traffic. 

•  both — Monitor  both  received  and  sent  traffic.  This  is  the 
default. 

•  rx — Monitor  received  traffic. 

•  tx — Monitor  sent  traffic. 

Note     You  can  use  the  monitor  session  session _number  source 

command  multiple  times  to  configure  multiple  source  ports. 

Specify  the  SPAN  session  and  the  destination  port  (monitoring  port). 

For  session_number,  specify  the  session  number  entered  in  step  3. 

Note     For  local  SPAN,  you  must  use  the  same  session  number  for 
the  source  and  destination  interfaces. 

For  interface-id,  specify  the  destination  port.  The  destination 
interface  must  be  a  physical  port;  it  cannot  be  an  EtherChannel,  and 
it  cannot  be  a  VLAN. 

(Optional)  [,  I  -]  Specify  a  series  or  range  of  interfaces.  Enter  a  space 
before  and  after  the  comma;  enter  a  space  before  and  after  the 
hyphen. 

(Optional)  Enter  encapsulation  replicate  to  specify  that  the 
destination  interface  replicates  the  source  interface  encapsulation 
method.  If  not  selected,  the  default  is  to  send  packets  in  native  form 
(untagged). 

Note  You  can  use  monitor  session  session _number  destination 
command  multiple  times  to  configure  multiple  destination 
ports. 

Return  to  privileged  EXEC  mode. 
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Command 

Purpose 

Step  6 

show  monitor  [session  session _number] 

Verify  the  configuration. 

show  running-config 

Step  7 

copy  running-config  startup-config 

(Optional)  Save  the  configuration  in  the  configuration  file. 

To  delete  a  SPAN  session,  use  the  no  monitor  session  session _number  global  configuration  command. 
To  remove  a  source  or  destination  port  or  VLAN  from  the  SPAN  session,  use  the  no  monitor  session 
session_number  source  {interface  interface-id  I  vlan  vlan-id]  global  configuration  command  or  the  no 
monitor  session  session _number  destination  interface  interface-id  global  configuration  command.  For 
destination  interfaces,  the  encapsulation  options  are  ignored  with  the  no  form  of  the  command. 

This  example  shows  how  to  set  up  SPAN  session  1  for  monitoring  source  port  traffic  to  a  destination 
port.  First,  any  existing  SPAN  configuration  for  session  1  is  deleted,  and  then  bidirectional  traffic  is 
mirrored  from  source  Gigabit  Ethernet  port  1  to  destination  Gigabit  Ethernet  port  2,  retaining  the 
encapsulation  method. 

Switch (config) #  no  monitor  session  1 

Switch (config) #  monitor  session  1  source  interface  gigabitethernetO/1 
Switch (config) #  monitor  session  1  destination  interface  gigabitethernetO/2 
encapsulation  replicate 

Switch (config) #  end 

This  example  shows  how  to  remove  port  1  as  a  SPAN  source  for  SPAN  session  1: 

Switch (config) #  no  monitor  session  1  source  interface  gigabitethernetO/1 

Switch (config) #  end 

This  example  shows  how  to  disable  received  traffic  monitoring  on  port  1,  which  was  configured  for 
bidirectional  monitoring: 

Switch (config) #  no  monitor  session  1  source  interface  gigabitethernetO/1  rx 

The  monitoring  of  traffic  received  on  port  1  is  disabled,  but  traffic  sent  from  this  port  continues  to  be 
monitored. 

This  example  shows  how  to  remove  any  existing  configuration  on  SPAN  session  2,  configure  SPAN 
session  2  to  monitor  received  traffic  on  all  ports  belonging  to  VLANs  1  through  3,  and  send  it  to 
destination  Gigabit  Ethernet  port  2.  The  configuration  is  then  modified  to  also  monitor  all  traffic  on  all 
ports  belonging  to  VLAN  10. 

Switch (config) #  no  monitor  session  2 

Switch (config) #  monitor  session  2  source  vlan  1  -  3  rx 

Switch (config) #  monitor  session  2  destination  interface  gigabitethernetO/2 
Switch (config) #  monitor  session  2  source  vlan  10 

Switch (config) #  end 


22-12 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  22    Configuring  SPAN  and  RSPAN 


Configuring  SPAN  and  RSPAN  ■ 


Creating  a  Local  SPAN  Session  and  Configuring  Incoming  Traffic 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  a  SPAN  session,  to  specify  the  source 
ports  or  VLANs  and  the  destination  ports,  and  to  enable  incoming  traffic  on  the  destination  port  for  a 
network  security  device  (such  as  a  Cisco  IDS  Sensor  Appliance). 

For  details  about  the  keywords  not  related  to  incoming  traffic,  see  the  "Creating  a  Local  SPAN  Session" 
section  on  page  22-10. 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

Step  2     no  monitor  session  {session _number  I  all  I 
local  I  remote} 

Remove  any  existing  SPAN  configuration  for  the  session. 

Step  3     monitor  session  session _number  source 

{interface  interface-id  I  vlan  vlan-id}  [,  I  -] 
[both  I  rx  I  tx] 

Specify  the  SPAN  session  and  the  source  port  (monitored  port). 

Step  4     monitor  session  session_number 

destination  {interface  interface-id  [,  I  -] 
[encapsulation  replicate]  [ingress  {dotlq 
vlan  vlan-id  I  isl  I  untagged  vlan  vlan-id  I 
vlan  vlan-id}] } 

Specify  the  SPAN  session,  the  destination  port,  the  packet 
encapsulation,  and  the  ingress  VLAN  and  encapsulation. 

For  session _number,  specify  the  session  number  entered  in  Step  3. 

For  interface-id,  specify  the  destination  port.  The  destination 
interface  must  be  a  physical  port;  it  cannot  be  an  EtherChannel,  and 
it  cannot  be  a  VLAN. 

(Optional)  [,  I  -]  Specify  a  series  or  range  of  interfaces.  Enter  a  space 
before  and  after  the  comma  or  hyphen. 

(Optional)  Enter  encapsulation  replicate  to  specify  that  the 
destination  interface  replicates  the  source  interface  encapsulation 
method.  If  not  selected,  the  default  is  to  send  packets  in  native  form 
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traffic  on  the  destination  port  and  to  specify  the  encapsulation  type: 

•  dotlq  vlan  vlan-id — Accept  incoming  packets  with  IEEE 
802. 1Q  encapsulation  with  the  specified  VLAN  as  the  default 
VLAN. 

•  isl — Forward  ingress  packets  with  ISL  encapsulation. 

•  untagged  vlan  vlan-id  or  vlan  vlan-id — Accept  incoming 
packets  with  untagged  encapsulation  type  with  the  specified 
VLAN  as  the  default  VLAN. 

Step  5  end 

Return  to  privileged  EXEC  mode. 

Step  6     show  monitor  [session  session_number] 
show  running-config 

Verify  the  configuration. 

Step  7     copy  running-config  startup-config 

(Optional)  Save  the  configuration  in  the  configuration  file. 
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To  delete  a  SPAN  session,  use  the  no  monitor  session  session _number  global  configuration  command. 
To  remove  a  source  or  destination  port  or  VLAN  from  the  SPAN  session,  use  the  no  monitor  session 
session_number  source  {interface  interface-id  I  vlan  vlan-id]  global  configuration  command  or  the  no 
monitor  session  session _number  destination  interface  interface -id  global  configuration  command.  For 
destination  interfaces,  the  encapsulation  and  ingress  options  are  ignored  with  the  no  form  of  the 
command. 

This  example  shows  how  to  remove  any  existing  configuration  on  SPAN  session  2,  configure  SPAN 
session  2  to  monitor  received  traffic  on  Gigabit  Ethernet  source  port  1 ,  and  send  it  to  destination  Gigabit 
Ethernet  port  2  with  the  same  egress  encapsulation  type  as  the  source  port,  and  to  enable  ingress 
forwarding  with  IEEE  802. 1Q  encapsulation  and  VLAN  6  as  the  default  ingress  VLAN. 

Switch (config) #  no  monitor  session  2 

Switch (config) #  monitor  session  2  source  gigabitethernetO/1  rx 

Switch (config) #  monitor  session  2  destination  interface  gigabitethernetO/2  encapsulation 
replicate  ingress  dotlq  vlan  6 

Switch (config) #  end 

Specifying  VLANs  to  Filter 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  limit  SPAN  source  traffic  to  specific  VLANs: 


Step  1 
Step  2 


Step  3 


Step  4 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

no  monitor  session  \session_number  1  all  1 
local  1  remote } 

Remove  any  existing  SPAN  configuration  for  the  session. 
For  session_number,  the  range  is  1  to  66. 

Specify  all  to  remove  all  SPAN  sessions,  local  to  remove  all  local 
sessions,  or  remote  to  remove  all  remote  SPAN  sessions. 

monitor  session  session_number  source 
interface  interface-id 

Specify  the  characteristics  of  the  source  port  (monitored  port)  and 
SPAN  session. 

For  session_number,  the  range  is  1  to  66. 

For  interface-id,  specify  the  source  port  to  monitor.  The  interface 
specified  must  already  be  configured  as  a  trunk  port. 

monitor  session  session_number  filter  vlan 

vlan-id  [,  1  -] 

Limit  the  SPAN  source  traffic  to  specific  VLANs. 

For  session_number,  enter  the  session  number  specified  in  Step  3. 

For  vlan-id,  the  range  is  1  to  4094. 

(Optional)  Use  a  comma  (,)  to  specify  a  series  of  VLANs,  or  use  a 
hyphen  (-)  to  specify  a  range  of  VLANs.  Enter  a  space  before  and  after 
the  comma;  enter  a  space  before  and  after  the  hyphen. 
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Step  5 


Step  6 
Step  7 

Step  8 


Command 

Purpose 

monitor  session  session_number 
destination  {interface  interface-id  [,  1  -] 
[encapsulation  replicate] } 

Specify  the  SPAN  session  and  the  destination  port  (monitoring  port). 

For  sessionjnumber,  specify  the  session  number  entered  in  Step  3. 

For  interface-id,  specify  the  destination  port.  The  destination 
interface  must  be  a  physical  port;  it  cannot  be  an  EtherChannel,  and  it 
cannot  be  a  VLAN. 

(Optional)  [,  1  -]  Specify  a  series  or  range  of  interfaces.  Enter  a  space 
before  and  after  the  comma;  enter  a  space  before  and  after  the  hyphen. 

(Optional)  Enter  encapsulation  replicate  to  specify  that  the 
destination  interface  replicates  the  source  interface  encapsulation 
method.  If  not  selected,  the  default  is  to  send  packets  in  native  form 
(untagged). 

end 

Return  to  privileged  EXEC  mode. 

show  monitor  [session  session _number] 

Verify  the  configuration. 

show  running-config 

copy  running-config  startup-config 

(Optional)  Save  the  configuration  in  the  configuration  file. 

To  monitor  all  VLANs  on  the  trunk  port,  use  the  no  monitor  session  session_number  filter  global 
configuration  command. 

This  example  shows  how  to  remove  any  existing  configuration  on  SPAN  session  2,  configure  SPAN 
session  2  to  monitor  traffic  received  on  Gigabit  Ethernet  trunk  port  2,  and  send  traffic  for  only  VLANs 
1  through  5  and  VLAN  9  to  destination  Gigabit  Ethernet  port  1 . 

Switch (config) #  no  monitor  session  2 

Switch (config) #  monitor  session  2  source  interface  gigabitethernetO/2  rx 
Switch (config) #  monitor  session  2  filter  vlan  1-5,9 

Switch ( config) #  monitor  session  2  destination  interface  gigabitethernetO/1 

Switch (config) #  end 


Configuring  RSPAN 

These  sections  contain  this  configuration  information: 

•  RSPAN  Configuration  Guidelines,  page  22-15 

•  Configuring  a  VLAN  as  an  RSPAN  VLAN,  page  22-16 

•  Creating  an  RSPAN  Source  Session,  page  22-17 

•  Creating  an  RSPAN  Destination  Session,  page  22-19 

•  Creating  an  RSPAN  Destination  Session  and  Configuring  Incoming  Traffic,  page  22-20 

•  Specifying  VLANs  to  Filter,  page  22-22 

RSPAN  Configuration  Guidelines 

Follow  these  guidelines  when  configuring  RSPAN: 

•  All  the  items  in  the  "SPAN  Configuration  Guidelines"  section  on  page  22-10  apply  to  RSPAN. 

•  As  RSPAN  VLANs  have  special  properties,  you  should  reserve  a  few  VLANs  across  your  network 
for  use  as  RSPAN  VLANs;  do  not  assign  access  ports  to  these  VLANs. 
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•  You  can  apply  an  output  ACL  to  RSPAN  traffic  to  selectively  filter  or  monitor  specific  packets. 
Specify  these  ACLs  on  the  RSPAN  VLAN  in  the  RSPAN  source  switches. 

•  For  RSPAN  configuration,  you  can  distribute  the  source  ports  and  the  destination  ports  across 
multiple  switches  in  your  network. 

•  RSPAN  does  not  support  BPDU  packet  monitoring  or  other  Layer  2  switch  protocols. 

•  The  RSPAN  VLAN  is  configured  only  on  trunk  ports  and  not  on  access  ports.  To  avoid  unwanted 
traffic  in  RSPAN  VLANs,  make  sure  that  the  VLAN  remote-span  feature  is  supported  in  all  the 
participating  switches. 

•  Access  ports  (including  voice  VLAN  ports)  on  the  RSPAN  VLAN  are  put  in  the  inactive  state. 

•  RSPAN  VLANs  are  included  as  sources  for  port-based  RSPAN  sessions  when  source  trunk  ports 
have  active  RSPAN  VLANs.  RSPAN  VLANs  can  also  be  sources  in  SPAN  sessions.  However,  since 
the  switch  does  not  monitor  spanned  traffic,  it  does  not  support  egress  spanning  of  packets  on  any 
RSPAN  VLAN  identified  as  the  destination  of  an  RSPAN  source  session  on  the  switch. 

•  You  can  configure  any  VLAN  as  an  RSPAN  VLAN  as  long  as  these  conditions  are  met: 

-  The  same  RSPAN  VLAN  is  used  for  an  RSPAN  session  in  all  the  switches. 

-  All  participating  switches  support  RSPAN. 

•  We  recommend  that  you  configure  an  RSPAN  VLAN  before  you  configure  an  RSPAN  source  or  a 
destination  session. 

•  If  you  enable  VTP  and  VTP  pruning,  RSPAN  traffic  is  pruned  in  the  trunks  to  prevent  the  unwanted 
flooding  of  RSPAN  traffic  across  the  network  for  VLAN  IDs  that  are  lower  than  1005. 

•  These  are  the  hardware  limitations  related  to  RSPAN: 

-  Egress  SPAN  routed  packets  (both  unicast  and  multicast)  show  the  incorrect  source  MAC 
address.  For  remote  SPAN  packets,  the  source  MAC  address  should  be  the  MAC  address  of  the 
egress  VLAN,  but  instead  the  packet  shows  the  MAC  address  of  the  RSPAN  VLAN.  There  is 
no  workaround. 

-  During  periods  of  very  high  traffic,  when  two  RSPAN  source  sessions  are  configured,  the 
VLAN  ID  of  packets  in  one  RSPAN  session  might  overwrite  the  VLAN  ID  of  the  other  RSPAN 
session.  If  this  occurs,  packets  intended  for  one  RSPAN  VLAN  are  incorrectly  sent  to  the  other 
RSPAN  VLAN.  This  problem  does  not  affect  RSPAN  destination  sessions.  The  workaround  is 
to  configure  only  one  RSPAN  source  session. 

Configuring  a  VLAN  as  an  RSPAN  VLAN 

First  create  a  new  VLAN  to  be  the  RSPAN  VLAN  for  the  RSPAN  session.  You  must  create  the  RSPAN 
VLAN  in  all  switches  that  will  participate  in  RSPAN.  If  the  RSPAN  VLAN-ID  is  in  the  normal  range 
(lower  than  1005)  and  VTP  is  enabled  in  the  network,  you  can  create  the  RSPAN  VLAN  in  one  switch, 
and  VTP  propagates  it  to  the  other  switches  in  the  VTP  domain.  For  extended-range  VLANs  (greater 
than  1005),  you  must  configure  RSPAN  VLAN  on  both  source  and  destination  switches  and  any 
intermediate  switches. 

Use  VTP  pruning  to  get  an  efficient  flow  of  RSPAN  traffic,  or  manually  delete  the  RSPAN  VLAN  from 
all  trunks  that  do  not  need  to  carry  the  RSPAN  traffic. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  an  RSPAN  VLAN: 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

vlan  vlan-id 

Enter  a  VLAN  ID  to  create  a  VLAN,  or  enter  the  VLAN  ID  of  an 
existing  VLAN,  and  enter  VLAN  configuration  mode.  The  range  is 
2  to  1001  and  1006  to  4094. 

The  RSPAN  VLAN  cannot  be  VLAN  1  (the  default  VLAN)  or 
VLAN  IDs  1002  through  1005  (reserved  for  Token  Ring  and  FDDI 
VLANs). 

remote-span 

Configure  the  VLAN  as  an  RSPAN  VLAN. 

end 

Return  to  privileged  EXEC  mode. 

copy  running-config  startup-config 

(Optional)  Save  the  configuration  in  the  configuration  file. 

To  remove  the  remote  SPAN  characteristic  from  a  VLAN  and  convert  it  back  to  a  normal  VLAN,  use 
the  no  remote-span  VLAN  configuration  command. 

This  example  shows  how  to  create  RSPAN  VLAN  901. 

Switch (config) #  vlan  901 

Switch ( config-vlan) #  remote  span 

Switch (conf ig-vlan) #  end 


Creating  an  RSPAN  Source  Session 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  start  an  RSPAN  source  session  and  to  specify 
the  monitored  source  and  the  destination  RSPAN  VLAN: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

no  monitor  session  {session _number  I  all  I 
local  I  remote} 

Remove  any  existing  RSPAN  configuration  for  the  session. 
For  session _number,  the  range  is  1  to  66. 

Specify  all  to  remove  all  RSPAN  sessions,  local  to  remove  all  local 
sessions,  or  remote  to  remove  all  remote  SPAN  sessions. 
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Command 

Purpose 

Step  3     monitor  session  session _number  source 

{interface  interface-id  1  vlan  vlan-id}  [,  1  -] 
[both  1  rx  1  tx] 

Specify  the  RSPAN  session  and  the  source  port  (monitored  port). 

For  session_number,  the  range  is  1  to  66. 

Enter  a  source  port  or  source  VLAN  for  the  RSPAN  session: 

•  For  interface-id,  specify  the  source  port  to  monitor.  Valid 
interfaces  include  physical  interfaces  and  port-channel  logical 
interfaces  (port-channel  port-channel-number).  Valid 
port-channel  numbers  are  1  to  48. 

•  For  vlan-id,  specify  the  source  VLAN  to  monitor.  The  range  is  1 
to  4094  (excluding  the  RSPAN  VLAN). 

A  single  session  can  include  multiple  sources  (ports  or  VLANs), 
defined  in  a  series  of  commands,  but  you  cannot  combine  source 
ports  and  source  VLANs  in  one  session. 

(Optional)  [,  1  -]  Specify  a  series  or  range  of  interfaces.  Enter  a  space 
before  and  after  the  comma;  enter  a  space  before  and  after  the 
hyphen. 

(Optional)  Specify  the  direction  of  traffic  to  monitor.  If  you  do  not 
specify  a  traffic  direction,  the  source  interface  sends  both  sent  and 
received  traffic. 

•  both — Monitor  both  received  and  sent  traffic. 

•  rx — Monitor  received  traffic. 

•  tx — Monitor  sent  traffic. 

Step  4     monitor  session  session _number 
destination  remote  vlan  vlan-id 

Uvsuuauuu  i  v  iii'' iv    nun  i  i  l f  / 1   ( ( f 

Specify  the  RSPAN  session  and  the  destination  RSPAN  VLAN. 
For  session_number,  enter  the  number  defined  in  Step  3. 
For  vlan-id,  specify  the  source  RSPAN  VLAN  to  monitor. 

Step  5  end 

Return  to  privileged  EXEC  mode. 

Step  6     show  monitor  [session  session_number] 
show  running-config 

Verify  the  configuration. 

Step  7     copy  running-config  startup-config 

(Optional)  Save  the  configuration  in  the  configuration  file. 

To  delete  a  SPAN  session,  use  the  no  monitor  session  session_number  global  configuration  command. 

To  remove  a  source  port  or  VLAN  from  the  SPAN  session,  use  the  no  monitor  session  session_number 
source  {interface  interface-id  I  vlan  vlan-id]  global  configuration  command.  To  remove  the  RSPAN 
VLAN  from  the  session,  use  the  no  monitor  session  session _number  destination  remote  vlan  vlan-id. 

This  example  shows  how  to  remove  any  existing  RSPAN  configuration  for  session  1,  configure  RSPAN 
session  1  to  monitor  multiple  source  interfaces,  and  configure  the  destination  as  RSPAN  VLAN  901. 

Switch (config) #  no  monitor  session  1 

Switch (config) #  monitor  session  1  source  interface  gigabitethernetO/1  tx 
Switch (config) #  monitor  session  1  source  interface  gigabitethernetO/2  rx 
Switch (config) #  monitor  session  1  source  interface  port-channel  2 
Switch (config) #  monitor  session  1  destination  remote  vlan  901 

Switch (config) #  end 
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Creating  an  RSPAN  Destination  Session 

You  configure  the  RSPAN  destination  session  on  a  different  switch;  that  is,  not  the  switch  on  which  the 
source  session  was  configured. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  define  the  RSPAN  VLAN  on  that  switch,  to 
create  an  RSPAN  destination  session,  and  to  specify  the  source  RSPAN  VLAN  and  the  destination  port: 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Step  6 


Step  7 


Step  8 
Step  9 

Step  10 


Command 

Purpose 

conngure  terminal 

Enter  global  configuration  mode. 

vlan  vlan-id 

Enter  the  VLAN  ID  of  the  RSPAN  VLAN  created  from  the  source 
switch,  and  enter  VLAN  configuration  mode. 

If  both  switches  are  participating  in  VTP  and  the  RSPAN  VLAN  ID 
is  from  2  to  1005,  Steps  2  through  4  are  not  required  because  the 
RSPAN  VLAN  ID  is  propagated  through  the  VTP  network. 

remote-span 

Identify  the  VLAN  as  the  RSPAN  VLAN. 

exit 

Return  to  global  configuration  mode. 

no  monitor  session  {session_number  1  all  1 
local  1  remote } 

Remove  any  existing  RSPAN  configuration  for  the  session. 
For  session_number,  the  range  is  1  to  66. 

Specify  all  to  remove  all  RSPAN  sessions,  local  to  remove  all  local 
sessions,  or  remote  to  remove  all  remote  SPAN  sessions. 

monitor  session  session _number  source 
remote  vlan  vlan-id 

Specify  the  RSPAN  session  and  the  source  RSPAN  VLAN. 

For  session_number,  the  range  is  1  to  66. 

For  vlan-id,  specify  the  source  RSPAN  VLAN  to  monitor. 

monitor  session  session_number 
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Specify  the  RSPAN  session  and  the  destination  interface. 

For  session_number,  enter  the  number  defined  in  Step  6. 

In  an  RSPAN  destination  session,  you  must  use  the  same  session 
number  for  the  source  RSPAN  VLAN  and  the  destination  port. 

For  interface-id,  specify  the  destination  interface.  The  destination 
interface  must  be  a  physical  interface. 

Though  visible  in  the  command-line  help  string,  encapsulation 
replicate  is  not  supported  for  RSPAN.  The  original  VLAN  ID  is 
overwritten  by  the  RSPAN  VLAN  ID,  and  all  packets  appear  on  the 
destination  port  as  untagged. 

end 

Return  to  privileged  EXEC  mode. 

show  monitor  [session  session_number] 

Verify  the  configuration. 

show  running-config 

copy  running-config  startup-config 

(Optional)  Save  the  configuration  in  the  configuration  file. 

To  delete  a  SPAN  session,  use  the  no  monitor  session  session _number  global  configuration  command. 
To  remove  a  destination  port  from  the  SPAN  session,  use  the  no  monitor  session  session_number 
destination  interface  interface-id  global  configuration  command.  To  remove  the  RSPAN  VLAN  from 
the  session,  use  the  no  monitor  session  session_number  source  remote  vlan  vlan-id. 
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This  example  shows  how  to  configure  VLAN  901  as  the  source  remote  VLAN  and  port  1  as  the 
destination  interface: 

Switch (config) #  monitor  session  1  source  remote  vlan  901 

Switch (config) #  monitor  session  1  destination  interface  gigabitethernetO/1 

Switch (config) #  end 

Creating  an  RSPAN  Destination  Session  and  Configuring  Incoming  Traffic 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  an  RSPAN  destination  session,  to 
specify  the  source  RSPAN  VLAN  and  the  destination  port,  and  to  enable  incoming  traffic  on  the 
destination  port  for  a  network  security  device  (such  as  a  Cisco  IDS  Sensor  Appliance). 

For  details  about  the  keywords  not  related  to  incoming  traffic,  see  the  "Creating  an  RSPAN  Destination 
Session"  section  on  page  22-19.  This  procedure  assumes  that  the  RSPAN  VLAN  has  already 
been  configured. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

no  monitor  session  [session _number  I  all  I 
local  I  remote } 

Remove  any  existing  SPAN  configuration  for  the  session. 

Step  3 

monitor  session  session_number  source 
remote  vlan  vlan-id 

Specify  the  RSPAN  session  and  the  source  RSPAN  VLAN. 

For  session _num.be r,  the  range  is  1  to  66. 

For  vlan-id,  specify  the  source  RSPAN  VLAN  to  monitor. 
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Command 


Purpose 


Step  4 


monitor  session  session _number 
destination  {interface  interface-id  [,  I  -] 
[ingress  {dotlq  vlan  vlan-id  I  isl  I  untagged 
vlan  vlan-id  I  vlan  vlan-id}] } 


Specify  the  SPAN  session,  the  destination  port,  the  packet 
encapsulation,  and  the  incoming  VLAN  and  encapsulation. 

For  session_number,  enter  the  number  defined  in  Step  4. 

In  an  RSPAN  destination  session,  you  must  use  the  same  session 
number  for  the  source  RSPAN  VLAN  and  the  destination  port. 

For  interface-id,  specify  the  destination  interface.  The  destination 
interface  must  be  a  physical  interface. 

Though  visible  in  the  command-line  help  string,  encapsulation 
replicate  is  not  supported  for  RSPAN.  The  original  VLAN  ID  is 
overwritten  by  the  RSPAN  VLAN  ID,  and  all  packets  appear  on  the 
destination  port  as  untagged. 

(Optional)  [,  I  -]  Specify  a  series  or  range  of  interfaces.  Enter  a  space 
before  and  after  the  comma;  enter  a  space  before  and  after  the 
hyphen. 

Enter  ingress  with  additional  keywords  to  enable  forwarding  of 
incoming  traffic  on  the  destination  port  and  to  specify  the 
encapsulation  type: 

•  dotlq  vlan  vlan-id — Forward  incoming  packets  with  IEEE 
802. 1Q  encapsulation  with  the  specified  VLAN  as  the  default 
VLAN. 

•  isl — Forward  ingress  packets  with  ISL  encapsulation. 

•  untagged  vlan  vlan-id  or  vlan  vlan-id — Forward  incoming 
packets  with  untagged  encapsulation  type  with  the  specified 
VLAN  as  the  default  VLAN. 


Step  5  end 

Step  6     show  monitor  [session  session_number] 

show  running-config 
Step  7     copy  running-config  startup-config 


Return  to  privileged  EXEC  mode. 
Verify  the  configuration. 

(Optional)  Save  the  configuration  in  the  configuration  file. 


To  delete  an  RSPAN  session,  use  the  no  monitor  session  session_number  global  configuration 
command.  To  remove  a  destination  port  from  the  RSPAN  session,  use  the  no  monitor  session 
session _number  destination  interface  interface-id  global  configuration  command.  The  ingress  options 
are  ignored  with  the  no  form  of  the  command. 

This  example  shows  how  to  configure  VLAN  901  as  the  source  remote  VLAN  in  RSPAN  session  2,  to 
configure  Gigabit  Ethernet  source  port  2  as  the  destination  interface,  and  to  enable  forwarding  of 
incoming  traffic  on  the  interface  with  VLAN  6  as  the  default  receiving  VLAN. 

Switch (config) #  monitor  session  2  source  remote  vlan  901 

Switch (config) #  monitor  session  2  destination  interface  gigabitethernetO/2  ingress  vlan  6 

Switch (config) #  end 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  j 


22-21 


■    Configuring  SPAN  and  RSPAN 


Chapter  22     Configuring  SPAN  and  RSPAN  | 


Specifying  VLANs  to  Filter 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  RSPAN  source  session  to  limit 
RSPAN  source  traffic  to  specific  VLANs: 


Command 

Purpose 

StPIl  1  pftnf *J  oil  tf*¥*IYlinill 
*JIG|I  1            CUllllgUl  C  LCl  lllllldl 

Pritpf  (tI  o  r\  £i  1  fotrriO'iiT'^il'ion  mdrlp 

J_illLCl  glUUdl  l^UllUg, Ul  O.LHJ11  111DUC 

Step  2     no  monitor  session  {session _number  1  all  1 
local  1  remote} 

Remove  any  existing  SPAN  configuration  for  the  session. 
For  session_number,  the  range  is  1  to  66. 

Specify  all  to  remove  all  SPAN  sessions,  local  to  remove  all  local 
sessions,  or  remote  to  remove  all  remote  SPAN  sessions. 

Step  3     monitor  session  session _number  source 
intprfflPf*  interfare-id 

Specify  the  characteristics  of  the  source  port  (monitored  port)  and 
SPAN  session 

For  session_number,  the  range  is  1  to  66. 

For  interface-id,  specify  the  source  port  to  monitor.  The  interface 
specified  must  already  be  configured  as  a  trunk  port. 

Step  4     monitor  session  session_number  filter  vlan 

vlnn-if]  T  1  -1 

Limit  the  SPAN  source  traffic  to  specific  VLANs. 

For  session_number,  enter  the  session  number  specified  in  step  3. 

For  vlan-id,  the  range  is  1  to  4094. 

(Optional)  Use  a  comma  (,)  to  specify  a  series  of  VLANs  or  use  a 

IIVUIICII  \- }  LU  spCClly  £1  ItlllgC  Ul   V  L/\1N?>.  L/11LC1  £1  SUdLC  UC1U1C  aim  al  LCI 

the  comma;  enter  a  space  before  and  after  the  hyphen. 

Step  5     monitor  session  session_number 
destination  remote  vlan  vlan-id 

Specify  the  RSPAN  session  and  the  destination  remote  VLAN 
(RSPAN  VLAN). 

For  session_number,  enter  the  session  number  specified  in  step  3. 

For  vlan-id,  specify  the  RSPAN  VLAN  to  carry  the  monitored  traffic 
to  the  destination  port. 

Step  6  end 

Return  to  privileged  EXEC  mode. 

Step  7      show  monitor  [session  session_number] 
show  running-config 

Verify  the  configuration. 

Step  8     copy  running-config  startup-config 

(Optional)  Save  the  configuration  in  the  configuration  file. 

To  monitor  all  VLANs  on  the  trunk  port,  use  the  no  monitor  session  session_number  filter  vlan  global 
configuration  command. 

This  example  shows  how  to  remove  any  existing  configuration  on  RSPAN  session  2,  configure  RSPAN 
session  2  to  monitor  traffic  received  on  trunk  port  2,  and  send  traffic  for  only  VLANs  1  through  5  and  9 
to  destination  RSPAN  VLAN  902. 

Switch ( config) #  no  monitor  session  2 

Switch (config) #  monitor  session  2  source  interface  gigabitethernetO/2  rx 
Switch ( config) #  monitor  session  2  filter  vlan  1-5,9 
Switch (config) #  monitor  session  2  destination  remote  vlan  902 

Switch (config) #  end 
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Displaying  SPAN  and  RSPAN  Status 

To  display  the  current  SPAN  or  RSPAN  configuration,  use  the  show  monitor  user  EXEC  command. 
You  can  also  use  the  show  running- config  privileged  EXEC  command  to  display  configured  SPAN  or 
RSPAN  sessions. 
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CHAPTER 


Configuring  RMON 


This  chapter  describes  how  to  configure  Remote  Network  Monitoring  (RMON)  on  the  switch. 

RMON  is  a  standard  monitoring  specification  that  defines  a  set  of  statistics  and  functions  that  can  be 
exchanged  between  RMON-compliant  console  systems  and  network  probes.  RMON  provides  you  with 
comprehensive  network-fault  diagnosis,  planning,  and  performance-tuning  information. 

X   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  "System 

Management  Commands"  section  in  the  Cisco  IOS  Configuration  Fundamentals  Command  Reference, 
Release  12.2. 

This  chapter  consists  of  these  sections: 

•  Understanding  RMON,  page  23-1 

•  Configuring  RMON,  page  23-2 

•  Displaying  RMON  Status,  page  23-6 

Understanding  RMON 

RMON  is  an  Internet  Engineering  Task  Force  (IETF)  standard  monitoring  specification  that  allows 
various  network  agents  and  console  systems  to  exchange  network  monitoring  data.  You  can  use  the 
RMON  feature  with  the  Simple  Network  Management  Protocol  (SNMP)  agent  in  the  switch  to  monitor 
all  the  traffic  flowing  among  switches  on  all  connected  LAN  segments  as  shown  in  Figure  23-1. 
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Figure  23- 1        Remote  Monitoring  Example 


Network  management  station  with 
generic  RMON  console  application 


Blade 
switch 


g    g    g  g 

Blade  Servers  Blade  Servers 

The  switch  supports  these  RMON  groups  (defined  in  RFC  1757): 

•  Statistics  (RMON  group  1) — Collects  Ethernet  statistics  (including  Fast  Ethernet  and  Gigabit 
Ethernet  statistics,  depending  on  the  switch  type  and  supported  interfaces)  on  an  interface. 

•  History  (RMON  group  2) — Collects  a  history  group  of  statistics  on  Ethernet  ports  (including  Fast 
Ethernet  and  Gigabit  Ethernet  statistics,  depending  on  the  switch  type  and  supported  interfaces)  for 
a  specified  polling  interval. 

•  Alarm  (RMON  group  3) — Monitors  a  specific  management  information  base  (MIB)  object  for  a 
specified  interval,  triggers  an  alarm  at  a  specified  value  (rising  threshold),  and  resets  the  alarm  at 
another  value  (falling  threshold).  Alarms  can  be  used  with  events;  the  alarm  triggers  an  event,  which 
can  generate  a  log  entry  or  an  SNMP  trap. 

•  Event  (RMON  group  9) — Specifies  the  action  to  take  when  an  event  is  triggered  by  an  alarm.  The 
action  can  be  to  generate  a  log  entry  or  an  SNMP  trap. 

Because  switches  supported  by  this  software  release  use  hardware  counters  for  RMON  data  processing, 
the  monitoring  is  more  efficient,  and  little  processing  power  is  required. 

Configuring  RMON 

These  sections  contain  this  configuration  information: 

•  Default  RMON  Configuration,  page  23-3 

•  Configuring  RMON  Alarms  and  Events,  page  23-3  (required) 

•  Collecting  Group  History  Statistics  on  an  Interface,  page  23-5  (optional) 

•  Collecting  Group  Ethernet  Statistics  on  an  Interface,  page  23-5  (optional) 
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Default  RMON  Configuration 

RMON  is  disabled  by  default;  no  alarms  or  events  are  configured. 


Configuring  RMON  Alarms  and  Events 

You  can  configure  your  switch  for  RMON  by  using  the  command-line  interface  (CLI)  or  an 
SNMP-compatible  network  management  station.  We  recommend  that  you  use  a  generic  RMON  console 
application  on  the  network  management  station  (NMS)  to  take  advantage  of  the  RMON  network 
management  capabilities.  You  must  also  configure  SNMP  on  the  switch  to  access  RMON  MIB  objects. 
For  more  information,  see  Chapter  25,  "Configuring  SNMP." 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  RMON  alarms  and  events.  This 
procedure  is  required. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

rmon  alarm  number  variable  interval  {absolute  1  delta) 
rising-threshold  value  [event-number] 
falling-threshold  value  [event-number] 
[owner  string] 

Set  an  alarm  on  a  MIB  object. 

•  For  number,  specify  the  alarm  number.  The 
range  is  1  to  65535. 

•  For  variable,  specify  the  MIB  object  to 
monitor. 

•  For  interval,  specify  the  time  in  seconds  the 
alarm  monitors  the  MIB  variable.  The  range  is 
1  to  4294967295  seconds. 

•  Specify  the  absolute  keyword  to  test  each  MIB 
variable  directly.  Specify  the  delta  keyword  to 
test  the  change  between  samples  of  a  MIB 
variable. 

•  For  value,  specify  a  number  at  which  the  alarm 
is  triggered  and  one  for  when  the  alarm  is  reset. 
The  range  for  the  rising  threshold  and  falling 
threshold  values  is  -2147483648  to 
2147483647. 

•  (Optional)  For  event-number,  specify  the  event 
number  to  trigger  when  the  rising  or  falling 
threshold  exceeds  its  limit. 

•  (Optional)  For  owner  string,  specify  the  owner 
of  the  alarm. 
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Command 

Purpose 

oiep  j 

rmon  event  number  [description  string]  [log]  [owner  string] 
[trap  community] 

Add  an  event  in  the  RMON  event  table  that  is 
associated  with  an  RMON  event  number. 

• 

For  number,  assign  an  event  number.  The  range 

la  1  LU  UJJJ J. 

• 

(Optional)  For  description  string,  specify  a 
description  of  the  event. 

• 

(Optional)  Use  the  log  keyword  to  generate  an 
RMON  log  entry  when  the  event  is  triggered. 

• 

(Optional)  For  owner  string,  specify  the  owner 
of  this  event. 

• 

(Optional)  For  trap  community,  enter  the 
SNMP  community  string  used  for  this  trap. 

Step  4 

end 

Return  to  privileged  EXEC  mode. 

Step  5 

show  running-config 

Verify  your  entries. 

Step  6 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration 
file. 

To  disable  an  alarm,  use  the  no  rmon  alarm  number  global  configuration  command  on  each  alarm  you 
configured.  You  cannot  disable  at  once  all  the  alarms  that  you  configured.  To  disable  an  event,  use  the 
no  rmon  event  number  global  configuration  command.  To  learn  more  about  alarms  and  events  and  how 
they  interact  with  each  other,  see  RFC  1757. 

You  can  set  an  alarm  on  any  MIB  object.  The  following  example  configures  RMON  alarm  number  10 
by  using  the  rmon  alarm  command.  The  alarm  monitors  the  MIB  variable  ifEntry.20.1  once  every  20 
seconds  until  the  alarm  is  disabled  and  checks  the  change  in  the  variable's  rise  or  fall.  If  the  ifEntry.20.1 
value  shows  a  MIB  counter  increase  of  15  or  more,  such  as  from  100000  to  100015,  the  alarm  is 
triggered.  The  alarm  in  turn  triggers  event  number  1 ,  which  is  configured  with  the  rmon  event 
command.  Possible  events  can  include  a  log  entry  or  an  SNMP  trap.  If  the  ifEntry.20.1  value  changes 
by  0,  the  alarm  is  reset  and  can  be  triggered  again. 

Switch ( config) #  rmon  alarm  10  ifEntry. 20 . 1  20  delta  rising-threshold  15  1 
falling-threshold  0  owner  jjohnson 

The  following  example  creates  RMON  event  number  1  by  using  the  rmon  event  command.  The  event 
is  defined  as  High  ifOutErrors  and  generates  a  log  entry  when  the  event  is  triggered  by  the  alarm.  The 
user  jjones  owns  the  row  that  is  created  in  the  event  table  by  this  command.  This  example  also  generates 
an  SNMP  trap  when  the  event  is  triggered. 

Switch (config) #  rmon  event  1  log  trap  eventtrap  description  "High  ifOutErrors"  owner 
jjones 
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Collecting  Group  History  Statistics  on  an  Interface 

You  must  first  configure  RMON  alarms  and  events  to  display  collection  information. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  collect  group  history  statistics  on  an 
interface.  This  procedure  is  optional. 


Step  1 
Step  2 

Step  3 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  interface  on  which  to  collect  history,  and  enter 
interface  configuration  mode. 

rmon  collection  history  index 

[buckets  bucket-number]  [interval  seconds] 

[owner  ownername] 

Enable  history  collection  for  the  specified  number  of  buckets  and 
time  period. 

•  For  index,  identify  the  RMON  group  of  statistics  The  range 

1    *        £L  C  CO  C 

is  1  to  65535. 

•  (Optional)  For  buckets  bucket-number,  specify  the 
maximum  number  of  buckets  desired  for  the  RMON 
collection  history  group  of  statistics.  The  range  is  1  to 
65535.  The  default  is  50  buckets. 

•  (Optional)  For  interval  seconds,  specify  the  number  of 
seconds  in  each  polling  cycle.  The  range  is  1  to  3600.  The 
default  is  1800  seconds. 

•  (Optional)  For  owner  ownername,  enter  the  name  of  the 
owner  of  the  RMON  group  of  statistics. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

show  rmon  history 

Display  the  contents  of  the  switch  history  table. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  4 
Step  5 
Step  6 
Step  7 


To  disable  history  collection,  use  the  no  rmon  collection  history  index  interface  configuration 
command. 


Collecting  Group  Ethernet  Statistics  on  an  Interface 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  collect  group  Ethernet  statistics  on  an 
interface.  This  procedure  is  optional. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  interface  on  which  to  collect  statistics,  and  enter 

interface  configuration  mode. 
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Command 

Purpose 

rmon  collection  stats  index  [owner  ownername] 

Enable  RMON  statistic  collection  on  the  interface. 

•  For  index,  specify  the  RMON  group  of  statistics.  The  range 
is  from  1  to  65535. 

•  (Optional)  For  owner  ownername,  enter  the  name  of  the 
owner  of  the  RMON  group  of  statistics. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

show  rmon  statistics 

Display  the  contents  of  the  switch  statistics  table. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  4 
Step  5 
Step  6 
Step  7 


To  disable  the  collection  of  group  Ethernet  statistics,  use  the  no  rmon  collection  stats  index  interface 
configuration  command. 

This  example  shows  how  to  collect  RMON  statistics  for  the  owner  root: 

Switch (config) #  interface  gigabitethernetO/1 

Switch ( config-if ) #  rmon  collection  stats  2  owner  root 


Displaying  RMON  Status 

To  display  the  RMON  status,  use  one  or  more  of  the  privileged  EXEC  commands  in  Table  23-1: 
Table  23- 1         Commands  for  Displaying  RMON  Status 


Command 

Purpose 

show  rmon 

Displays  general  RMON  statistics. 

show  rmon  alarms 

Displays  the  RMON  alarm  table. 

show  rmon  events 

Displays  the  RMON  event  table. 

show  rmon  history 

Displays  the  RMON  history  table. 

show  rmon  statistics 

Displays  the  RMON  statistics  table. 

For  information  about  the  fields  in  these  displays,  see  the  "System  Management  Commands"  section  in 
the  Cisco  IOS  Configuration  Fundamentals  Command  Reference,  Release  12.2. 
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This  chapter  describes  how  to  configure  system  message  logging  on  the  switch. 


Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  Cisco  IOS 
Configuration  Fundamentals  Command  Reference,  Release  12.2. 

This  chapter  consists  of  these  sections: 

•  Understanding  System  Message  Logging,  page  24-1 

•  Configuring  System  Message  Logging,  page  24-2 

•  Displaying  the  Logging  Configuration,  page  24-12 

Understanding  System  Message  Logging 

By  default,  a  switch  sends  the  output  from  system  messages  and  debug  privileged  EXEC  commands  to 
a  logging  process.  The  logging  process  controls  the  distribution  of  logging  messages  to  various 
destinations,  such  as  the  logging  buffer,  terminal  lines,  or  a  UNIX  syslog  server,  depending  on  your 
configuration.  The  process  also  sends  messages  to  the  console. 

X   

Note      The  syslog  format  is  compatible  with  4.3  BSD  UNIX. 


When  the  logging  process  is  disabled,  messages  are  sent  only  to  the  console.  The  messages  are  sent  as 
they  are  generated,  so  message  and  debug  output  are  interspersed  with  prompts  or  output  from  other 
commands.  Messages  appear  on  the  console  after  the  process  that  generated  them  has  finished. 

You  can  set  the  severity  level  of  the  messages  to  control  the  type  of  messages  displayed  on  the  consoles 
and  each  of  the  destinations.  You  can  time-stamp  log  messages  or  set  the  syslog  source  address  to 
enhance  real-time  debugging  and  management.  For  information  on  possible  messages,  see  the  system 
message  guide  for  this  release. 

You  can  remotely  monitor  system  messages  by  viewing  the  logs  on  a  syslog  server  or  by  accessing  the 
switch  through  Telnet  or  through  the  console  port. 
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Configuring  System  Message  Logging 

These  sections  contain  this  configuration  information: 

•  System  Log  Message  Format,  page  24-2 

•  Default  System  Message  Logging  Configuration,  page  24-3 

•  Disabling  Message  Logging,  page  24-3  (optional) 

•  Setting  the  Message  Display  Destination  Device,  page  24-4  (optional) 

•  Synchronizing  Log  Messages,  page  24-5  (optional) 

•  Enabling  and  Disabling  Time  Stamps  on  Log  Messages,  page  24-7  (optional) 

•  Enabling  and  Disabling  Sequence  Numbers  in  Log  Messages,  page  24-7  (optional) 

•  Defining  the  Message  Severity  Level,  page  24-8  (optional) 

•  Limiting  Syslog  Messages  Sent  to  the  History  Table  and  to  SNMP,  page  24-9  (optional) 

•  Configuring  UNIX  Syslog  Servers,  page  24-10  (optional) 

System  Log  Message  Format 

System  log  messages  can  contain  up  to  80  characters  and  a  percent  sign  (%),  which  follows  the  optional 
sequence  number  or  time-stamp  information,  if  configured.  Messages  appear  in  this  format: 

seq  no:timestamp:  %facility-severity-MNEMONIC:description 

The  part  of  the  message  preceding  the  percent  sign  depends  on  the  setting  of  the  service 
sequence-numbers,  service  timestamps  log  datetime,  service  timestamps  log  datetime  [localtime] 
[msec]  [show-timezone],  or  service  timestamps  log  uptime  global  configuration  command. 

Table  24-1  describes  the  elements  of  syslog  messages. 


Table  24-1          System  Log  Message  Elements 


Element 

Description 

seq  no: 

Stamps  log  messages  with  a  sequence  number  only  if  the  service  sequence-numbers  global 
configuration  command  is  configured. 

For  more  information,  see  the  "Enabling  and  Disabling  Sequence  Numbers  in  Log  Messages" 
section  on  page  24-7. 

timestamp  formats: 
mm/dd  hh:mm:ss 
or 

hh:mm:ss  (short  uptime) 
or 

d  h  (long  uptime) 

Date  and  time  of  the  message  or  event.  This  information  appears  only  if  the  service  timestamps 
log  [datetime  1  log]  global  configuration  command  is  configured. 

For  more  information,  see  the  "Enabling  and  Disabling  Time  Stamps  on  Log  Messages"  section 
on  page  24-7. 

facility 

The  facility  to  which  the  message  refers  (for  example,  SNMP,  SYS,  and  so  forth).  For  a  list  of 
supported  facilities,  see  Table  24-4  on  page  24-11. 

severity 

Single-digit  code  from  0  to  7  that  is  the  severity  of  the  message.  For  a  description  of  the  severity 
levels,  see  Table  24-3  on  page  24-9. 
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Table  24-1          System  Log  Message  Elements  (continued) 


Element 

Description 

MNEMONIC 

Text  string  that  uniquely  describes  the  message. 

description 

Text  string  containing  detailed  information  about  the  event  being  reported. 

This  example  shows  a  partial  switch  system  message: 

00:00:46:    %LINK-3 -UPDOWN :    Interface  Port-channell ,    changed  state  to  up 
00:00:47:    %LINK-3 -UPDOWN :    Interface  GigabitEthernetO / 1 ,    changed  state  to  up 
00:00:47:   %LINK-3 -UPDOWN :   Interface  GigabitEthernetO/2 ,   changed  state  to  up 
00:00:48:    %LINEPROTO- 5 -UPDOWN :   Line  protocol  on  Interface  Vlanl ,    changed  state  to  down 
00:00:48:    %LINEPROTO- 5 -UPDOWN :   Line  protocol  on  Interface  GigabitEthernetO / 1 ,  changed 
state  to  down  2 

*Mar     1  18:46:11:    %SYS-5-CONFIG_I :   Configured  from  console  by  vty2  (10.34.195.36) 
18:47:02:    %SYS-5-CONFIG_I :   Configured  from  console  by  vty2  (10.34.195.36) 

*Mar     1  18:48:50.483  UTC :    %SYS-5-CONFIG_I :   Configured  from  console  by  vty2  (10.34.195.36) 


Default  System  Message  Logging  Configuration 

Table  24-2  shows  the  default  system  message  logging  configuration. 


Table  24-2        Default  System  Message  Logging  Configuration 


Feature 

Default  Setting 

System  message  logging  to  the  console 

Enabled. 

Console  severity 

Debugging  (and  numerically  lower  levels;  see 
Table  24-3  on  page  24-9). 

Logging  file  configuration 

No  filename  specified. 

Logging  buffer  size 

4096  bytes. 

Logging  history  size 

1  message. 

Time  stamps 

Disabled. 

Synchronous  logging 

Disabled. 

Logging  server 

Disabled. 

Syslog  server  IP  address 

None  configured. 

Server  facility 

Local7  (see  Table  24-4  on  page  24-1 1). 

Server  severity 

Informational  (and  numerically  lower  levels;  see 
Table  24-3  on  page  24-9). 

Disabling  Message  Logging 

Message  logging  is  enabled  by  default.  It  must  be  enabled  to  send  messages  to  any  destination  other  than 
the  console.  When  enabled,  log  messages  are  sent  to  a  logging  process,  which  logs  messages  to 
designated  locations  asynchronously  to  the  processes  that  generated  the  messages. 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


24-3 


H Configuring  System  Message  Logging 


Chapter  24     Configuring  System  Message  Logging  | 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  message  logging.  This  procedure  is 
optional. 


Step  1 
Step  2 
Step  3 
Step  4 


Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

no  logging  console 

Disable  message  logging. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

or 

show  logging 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Disabling  the  logging  process  can  slow  down  the  switch  because  a  process  must  wait  until  the  messages 
are  written  to  the  console  before  continuing.  When  the  logging  process  is  disabled,  messages  appear  on 
the  console  as  soon  as  they  are  produced,  often  appearing  in  the  middle  of  command  output. 

The  logging  synchronous  global  configuration  command  also  affects  the  display  of  messages  to  the 
console.  When  this  command  is  enabled,  messages  appear  only  after  you  press  Return.  For  more 
information,  see  the  "Synchronizing  Log  Messages"  section  on  page  24-5. 

To  re-enable  message  logging  after  it  has  been  disabled,  use  the  logging  on  global  configuration 
command. 


Setting  the  Message  Display  Destination  Device 

If  message  logging  is  enabled,  you  can  send  messages  to  specific  locations  in  addition  to  the  console. 
Beginning  in  privileged  EXEC  mode,  use  one  or  more  of  the  following  commands  to  specify  the 
locations  that  receive  messages.  This  procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

logging  buffered  [size] 

Log  messages  to  an  internal  buffer  on  the  switch.  The  range  is  4096  to 
2147483647  bytes.  The  default  buffer  size  is  4096  bytes. 

If  the  switch  fails,  the  log  file  is  lost  unless  you  had  previously  saved  it  to 
flash  memory.  See  Step  4. 

Note     Do  not  make  the  buffer  size  too  large  because  the  switch  could  run 
out  of  memory  for  other  tasks.  Use  the  show  memory  privileged 
EXEC  command  to  view  the  free  processor  memory  on  the  switch. 
However,  this  value  is  the  maximum  available,  and  the  buffer  size 
should  not  be  set  to  this  amount. 
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Step  4 


Step  5 
Step  6 


Command 

Purpose 

logging  host 

Log  messages  to  a  UNIX  syslog  server  host. 

For  host,  specify  the  name  or  IP  address  of  the  host  to  be  used  as  the 
syslog  server. 

To  build  a  list  of  syslog  servers  that  receive  logging  messages,  enter  this 
command  more  than  once. 

For  complete  syslog  server  configuration  steps,  see  the  "Configuring 
UNIX  Syslog  Servers"  section  on  page  24-10. 

logging  file  flash  :/(7enarae 
[max- file- size  [min-file-size]] 
[severity-level-number  1  type] 

Store  log  messages  in  a  file  in  flash  memory. 

•  For  filename,  enter  the  log  message  filename. 

•  (Optional)  For  max-file-size,  specify  the  maximum  logging  file  size. 
The  range  is  4096  to  2147483647.  The  default  is  4096  bytes. 

•  (Optional)  For  min-file-size,  specify  the  minimum  logging  file  size. 
The  range  is  1024  to  2147483647.  The  default  is  2048  bytes. 

•  (Optional)  For  severity-level-number  1  type,  specify  either  the  logging 
severity  level  or  the  logging  type.  The  severity  range  is  0  to  7.  For  a 
list  of  logging  type  keywords,  see  Table  24-3  on  page  24-9.  By 
default,  the  log  file  receives  debugging  messages  and  numerically 
lower  levels. 

end 

Return  to  privileged  EXEC  mode. 

terminal  monitor 

Log  messages  to  a  nonconsole  terminal  during  the  current  session. 

Terminal  parameter-setting  commands  are  set  locally  and  do  not  remain 
in  effect  after  the  session  has  ended.  You  must  perform  this  step  for  each 
session  to  see  the  debugging  messages. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

The  logging  buffered  global  configuration  command  copies  logging  messages  to  an  internal  buffer.  The 
buffer  is  circular,  so  newer  messages  overwrite  older  messages  after  the  buffer  is  full.  To  display  the 
messages  that  are  logged  in  the  buffer,  use  the  show  logging  privileged  EXEC  command.  The  first 
message  displayed  is  the  oldest  message  in  the  buffer.  To  clear  the  contents  of  the  buffer,  use  the  clear 
logging  privileged  EXEC  command. 

To  disable  logging  to  the  console,  use  the  no  logging  console  global  configuration  command.  To  disable 
logging  to  a  file,  use  the  no  logging  file  [severity-level-number  I  type]  global  configuration  command. 


Synchronizing  Log  Messages 

You  can  synchronize  unsolicited  messages  and  debug  privileged  EXEC  command  output  with  solicited 
device  output  and  prompts  for  a  specific  console  port  line  or  virtual  terminal  line.  You  can  identify  the 
types  of  messages  to  be  output  asynchronously  based  on  the  level  of  severity.  You  can  also  configure 
the  maximum  number  of  buffers  for  storing  asynchronous  messages  for  the  terminal  after  which 
messages  are  dropped. 

When  synchronous  logging  of  unsolicited  messages  and  debug  command  output  is  enabled,  unsolicited 
device  output  appears  on  the  console  or  printed  after  solicited  device  output  appears  or  is  printed. 
Unsolicited  messages  and  debug  command  output  appears  on  the  console  after  the  prompt  for  user  input 
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is  returned.  Therefore,  unsolicited  messages  and  debug  command  output  are  not  interspersed  with 
solicited  device  output  and  prompts.  After  the  unsolicited  messages  appear,  the  console  again  displays 
the  user  prompt. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  synchronous  logging.  This 
procedure  is  optional. 


Command 


Purpose 


Step  1      configure  terminal 

Step  2     line  [console  I  vty]  line-number 
[ending-line-number] 


Enter  global  configuration  mode. 


Step  3     logging  synchronous  [level  [severity -lev el  I 
all]  I  limit  number-of-bujfers] 


Specify  the  line  to  be  configured  for  synchronous  logging  of 
messages. 

•  Use  the  console  keyword  for  configurations  that  occur  through 
the  switch  console  port. 

•  Use  the  line  vty  line-number  command  to  specify  which  vty 
lines  are  to  have  synchronous  logging  enabled.  You  use  a  vty 
connection  for  configurations  that  occur  through  a  Telnet 
session.  The  range  of  line  numbers  is  from  0  to  15. 

You  can  change  the  setting  of  all  16  vty  lines  at  once  by  entering: 

line  vty  0  15 

Or  you  can  change  the  setting  of  the  single  vty  line  being  used  for 
your  current  connection.  For  example,  to  change  the  setting  for  vty 
line  2,  enter: 

line  vty  2 

When  you  enter  this  command,  the  mode  changes  to  line 
configuration. 

Enable  synchronous  logging  of  messages. 

•  (Optional)  For  level  severity-level,  specify  the  message  severity 
level.  Messages  with  a  severity  level  equal  to  or  higher  than  this 
value  are  printed  asynchronously.  Low  numbers  mean  greater 
severity  and  high  numbers  mean  lesser  severity.  The  default  is  2. 

•  (Optional)  Specifying  level  all  means  that  all  messages  are 
printed  asynchronously  regardless  of  the  severity  level. 

•  (Optional)  For  limit  number-of-bujfers,  specify  the  number  of 
buffers  to  be  queued  for  the  terminal  after  which  new  messages 
are  dropped.  The  range  is  0  to  2147483647.  The  default  is  20. 


Step  4 
Step  5 


end 

show  running-config 


Return  to  privileged  EXEC  mode. 
Verify  your  entries. 


Step  6     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


To  disable  synchronization  of  unsolicited  messages  and  debug  output,  use  the  no  logging  synchronous 
[level  severity-level  I  all]  [limit  number-of-buffers]  line  configuration  command. 
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Enabling  and  Disabling  Time  Stamps  on  Log  Messages 

By  default,  log  messages  are  not  time-stamped. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  time-stamping  of  log  messages.  This 
procedure  is  optional. 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

Step  2     service  timestamps  log  uptime 

or 

service  timestamps  log  datetime  [msec]  [localtime] 
[show-timezone] 

Enable  log  time  stamps. 

The  first  command  enables  time  stamps  on  log  messages, 
showing  the  time  since  the  system  was  rebooted. 

The  second  command  enables  time  stamps  on  log  messages. 
Depending  on  the  options  selected,  the  time  stamp  can 
include  the  date,  time  in  milliseconds  relative  to  the  local 
time-zone,  and  the  time  zone  name. 

Step  3  end 

Return  to  privileged  EXEC  mode. 

Step  4     show  running-config 

Verify  your  entries. 

Step  5     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  time  stamps  for  both  debug  and  log  messages,  use  the  no  service  timestamps  global 
configuration  command. 

This  example  shows  part  of  a  logging  display  with  the  service  timestamps  log  datetime  global 
configuration  command  enabled: 

*Mar     1  18:46:11:    %SYS-5-CONFIG_I :   Configured  from  console  by  vty2  (10.34.195.36) 

This  example  shows  part  of  a  logging  display  with  the  service  timestamps  log  uptime  global 
configuration  command  enabled: 

00:00:46:    %LINK-3 -UPDOWN :    Interface  Port-channell ,    changed  state  to  up 


Enabling  and  Disabling  Sequence  Numbers  in  Log  Messages 

Because  there  is  a  chance  that  more  than  one  log  message  can  have  the  same  time  stamp,  you  can  display 
messages  with  sequence  numbers  so  that  you  can  unambiguously  see  a  single  message.  By  default, 
sequence  numbers  in  log  messages  are  not  displayed. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  sequence  numbers  in  log  messages. 
This  procedure  is  optional. 


Command 
Step  1     configure  terminal 
Step  2     service  sequence-numbers 
Step  3  end 

Step  4     show  running-config 

Step  5     copy  running-config  startup-config 


Purpose 

Enter  global  configuration  mode. 
Enable  sequence  numbers. 
Return  to  privileged  EXEC  mode. 
Verify  your  entries. 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  disable  sequence  numbers,  use  the  no  service  sequence-numbers  global  configuration  command. 
This  example  shows  part  of  a  logging  display  with  sequence  numbers  enabled: 

000019:    %SYS-5-CONFIG_I :   Configured  from  console  by  vty2  (10.34.195.36) 


Defining  the  Message  Severity  Level 


You  can  limit  messages  displayed  to  the  selected  device  by  specifying  the  severity  level  of  the  message, 
which  are  described  in  Table  24-3. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  define  the  message  severity  level.  This 
procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

logging  console  level 

Limit  messages  logged  to  the  console. 

By  default,  the  console  receives  debugging  messages  and  numerically 
lower  levels  (see  Table  24-3  on  page  24-9). 

logging  monitor  level 

Limit  messages  logged  to  the  terminal  lines. 

By  default,  the  terminal  receives  debugging  messages  and  numerically 
lower  levels  (see  Table  24-3  on  page  24-9). 

logging  trap  level 

Limit  messages  logged  to  the  syslog  servers. 

By  default,  syslog  servers  receive  informational  messages  and 
numerically  lower  levels  (see  Table  24-3  on  page  24-9). 

For  complete  syslog  server  configuration  steps,  see  the  "Configuring 
UNIX  Syslog  Servers"  section  on  page  24-10. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

or 

show  logging 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Note 


Specifying  a  level  causes  messages  at  that  level  and  numerically  lower  levels  to  appear  at  the  destination. 


To  disable  logging  to  the  console,  use  the  no  logging  console  global  configuration  command.  To  disable 
logging  to  a  terminal  other  than  the  console,  use  the  no  logging  monitor  global  configuration  command. 
To  disable  logging  to  syslog  servers,  use  the  no  logging  trap  global  configuration  command. 


24-8 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  24    Configuring  System  Message  Logging 


Configuring  System  Message  Logging  M 


Table  24-3  describes  the  level  keywords.  It  also  lists  the  corresponding  UNIX  syslog  definitions  from 
the  most  severe  level  to  the  least  severe  level. 


Table  24-3        Message  Logging  Level  Keywords 


Level  Keyword 

Level 

Description 

Syslog  Definition 

emergencies 

0 

System  unstable 

LOG_EMERG 

alerts 

1 

Immediate  action  needed 

LOG_ALERT 

critical 

2 

Critical  conditions 

LOG_CRIT 

errors 

3 

Error  conditions 

LOG_ERR 

warnings 

4 

Warning  conditions 

LOG_WARNING 

notifications 

5 

Normal  but  significant  condition 

LOG_NOTICE 

informational 

6 

Informational  messages  only 

LOG_INFO 

debugging 

7 

Debugging  messages 

LOG_DEBUG 

The  software  generates  four  other  categories  of  messages: 

•  Error  messages  about  software  or  hardware  malfunctions,  displayed  at  levels  warnings  through 
emergencies.  These  types  of  messages  mean  that  the  functionality  of  the  switch  is  affected.  For 
information  on  how  to  recover  from  these  malfunctions,  see  the  system  message  guide  for  this 
release. 

•  Output  from  the  debug  commands,  displayed  at  the  debugging  level.  Debug  commands  are 
typically  used  only  by  the  Technical  Assistance  Center. 

•  Interface  up  or  down  transitions  and  system  restart  messages,  displayed  at  the  notifications  level. 
This  message  is  only  for  information;  switch  functionality  is  not  affected. 


Limiting  Syslog  Messages  Sent  to  the  History  Table  and  to  SNMP 

If  you  enabled  syslog  message  traps  to  be  sent  to  an  SNMP  network  management  station  by  using  the 
snmp-server  enable  trap  global  configuration  command,  you  can  change  the  level  of  messages  sent  and 
stored  in  the  switch  history  table.  You  also  can  change  the  number  of  messages  that  are  stored  in  the 
history  table. 

Messages  are  stored  in  the  history  table  because  SNMP  traps  are  not  guaranteed  to  reach  their 
destination.  By  default,  one  message  of  the  level  warning  and  numerically  lower  levels  (see  Table  24-3 
on  page  24-9)  are  stored  in  the  history  table  even  if  syslog  traps  are  not  enabled. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  change  the  level  and  history  table  size 
defaults.  This  procedure  is  optional. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

logging  history  level1 

Change  the  default  level  of  syslog  messages  stored  in  the  history  file  and 
sent  to  the  SNMP  server. 

See  Table  24-3  on  page  24-9  for  a  list  of  level  keywords. 

By  default,  warnings,  errors,  critical,  alerts,  and  emergencies  messages 
are  sent. 
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Command 

Purpose 

Step  3 

logging  history  size  number 

Specify  the  number  of  syslog  messages  that  can  be  stored  in  the  history 
table. 

The  default  is  to  store  one  message.  The  range  is  0  to  500  messages. 

Step  4 

end 

Return  to  privileged  EXEC  mode. 

Step  5 

show  running-config 

Verify  your  entries. 

Step  6 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

1.     Table  24-3  lists  the  level  keywords  and  severity  level.  For  SNMP  usage,  the  severity  level  values  increase  by  1.  For  example,  emergencies 
equal  1,  not  0,  and  critical  equals  3,  not  2. 


When  the  history  table  is  full  (it  contains  the  maximum  number  of  message  entries  specified  with  the 
logging  history  size  global  configuration  command),  the  oldest  message  entry  is  deleted  from  the  table 
to  allow  the  new  message  entry  to  be  stored. 

To  return  the  logging  of  syslog  messages  to  the  default  level,  use  the  no  logging  history  global 
configuration  command.  To  return  the  number  of  messages  in  the  history  table  to  the  default  value,  use 
the  no  logging  history  size  global  configuration  command. 

Configuring  UNIX  Syslog  Servers 

The  next  sections  describe  how  to  configure  the  UNIX  server  syslog  daemon  and  how  to  define  the 
UNIX  system  logging  facility. 

Logging  Messages  to  a  UNIX  Syslog  Daemon 

Before  you  can  send  system  log  messages  to  a  UNIX  syslog  server,  you  must  configure  the  syslog 
daemon  on  a  UNIX  server.  This  procedure  is  optional. 

Log  in  as  root,  and  perform  these  steps: 

%   

Note      Some  recent  versions  of  UNIX  syslog  daemons  no  longer  accept  by  default  syslog  packets  from  the 
network.  If  this  is  the  case  with  your  system,  use  the  UNIX  man  syslogd  command  to  decide  what 
options  must  be  added  to  or  removed  from  the  syslog  command  line  to  enable  logging  of  remote  syslog 
messages. 


Step  1      Add  a  line  such  as  the  following  to  the  file  /etc/syslog.conf: 

local7  .debug  /usr / adm/ logs /CISCO. log 

The  local7  keyword  specifies  the  logging  facility  to  be  used;  see  Table  24-4  on  page  24-1 1  for 
information  on  the  facilities.  The  debug  keyword  specifies  the  syslog  level;  see  Table  24-3  on  page  24-9 
for  information  on  the  severity  levels.  The  syslog  daemon  sends  messages  at  this  level  or  at  a  more 
severe  level  to  the  file  specified  in  the  next  field.  The  file  must  already  exist,  and  the  syslog  daemon 
must  have  permission  to  write  to  it. 

Step  2      Create  the  log  file  by  entering  these  commands  at  the  UNIX  shell  prompt: 

$  touch  /var/log/ cisco.log 

$  chmod  666  /vax/log/ciscoAog 
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Step  3      Make  sure  the  syslog  daemon  reads  the  new  changes: 

$  kill  -HUP  "cat  /etc/syslog.pid~ 

For  more  information,  see  the  man  syslog.conf  and  man  syslogd  commands  on  your  UNIX  system. 


Configuring  the  UNIX  System  Logging  Facility 

When  sending  system  log  messages  to  an  external  device,  you  can  cause  the  switch  to  identify  its 
messages  as  originating  from  any  of  the  UNIX  syslog  facilities. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  UNIX  system  facility  message 
logging.  This  procedure  is  optional. 


Step  1 
Step  2 


Step  3 


Step  4 


Step  5 
Step  6 
Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

logging  host 

Log  messages  to  a  UNIX  syslog  server  host  by  entering  its  IP  address. 

To  build  a  list  of  syslog  servers  that  receive  logging  messages,  enter  this 
command  more  than  once. 

logging  trap  level 

Limit  messages  logged  to  the  syslog  servers. 

Be  default,  syslog  servers  receive  informational  messages  and  lower.  See 
Table  24-3  on  page  24-9  for  level  keywords. 

logging  facility  facility-type 

Configure  the  syslog  facility.  See  Table  24-4  on  page  24-11  for 
facility-type  keywords. 

The  default  is  local7. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  a  syslog  server,  use  the  no  logging  host  global  configuration  command,  and  specify  the 
syslog  server  IP  address.  To  disable  logging  to  syslog  servers,  enter  the  no  logging  trap  global 
configuration  command. 

Table  24-4  lists  the  UNIX  system  facilities  supported  by  the  software.  For  more  information  about  these 
facilities,  consult  the  operator's  manual  for  your  UNIX  operating  system. 


Table  24-4         Logging  Facility-Type  Keywords 


Facility  Type  Keyword 

Description 

auth 

Authorization  system 

cron 

Cron  facility 

daemon 

System  daemon 

kern 

Kernel 

localO-7 

Locally  defined  messages 

lpr 

Line  printer  system 
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Table  24-4        Logging  Facility-Type  Keywords  (continued) 


Facility  Type  Keyword 

Description 

mail 

Mail  system 

news 

USENET  news 

sys9-14 

System  use 

syslog 

System  log 

user 

User  process 

uucp 

UNIX-to-UNIX  copy  system 

Displaying  the  Logging  Configuration 

To  display  the  logging  configuration  and  the  contents  of  the  log  buffer,  use  the  show  logging  privileged 
EXEC  command.  For  information  about  the  fields  in  this  display,  see  the  Cisco  IOS  Configuration 
Fundamentals  Command  Reference,  Release  12.2. 
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Configuring  SNMP 


This  chapter  describes  how  to  configure  the  Simple  Network  Management  Protocol  (SNMP)  on  the 
switch. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 

reference  for  this  release  and  the  Cisco  IOS  Configuration  Fundamentals  Command  Reference, 

Release  12.2. 

This  chapter  consists  of  these  sections: 

•  Understanding  SNMP,  page  25-1 

•  Configuring  SNMP,  page  25-6 

•  Displaying  SNMP  Status,  page  25-17 

Understanding  SNMP 

SNMP  is  an  application-layer  protocol  that  provides  a  message  format  for  communication  between 
managers  and  agents.  The  SNMP  system  consists  of  an  SNMP  manager,  an  SNMP  agent,  and  a  MIB. 
The  SNMP  manager  can  be  part  of  a  network  management  system  (NMS)  such  as  CiscoWorks.  The 
agent  and  MIB  reside  on  the  switch.  To  configure  SNMP  on  the  switch,  you  define  the  relationship 
between  the  manager  and  the  agent. 

The  SNMP  agent  contains  MIB  variables  whose  values  the  SNMP  manager  can  request  or  change.  A 
manager  can  get  a  value  from  an  agent  or  store  a  value  into  the  agent.  The  agent  gathers  data  from  the 
MIB,  the  repository  for  information  about  device  parameters  and  network  data.  The  agent  can  also 
respond  to  a  manager's  requests  to  get  or  set  data. 

An  agent  can  send  unsolicited  traps  to  the  manager.  Traps  are  messages  alerting  the  SNMP  manager  to 
a  condition  on  the  network.  Traps  can  mean  improper  user  authentication,  restarts,  link  status  (up  or 
down),  MAC  address  tracking,  closing  of  a  TCP  connection,  loss  of  connection  to  a  neighbor,  or  other 
significant  events. 

These  sections  contain  this  conceptual  information: 

•  SNMP  Versions,  page  25-2 

•  SNMP  Manager  Functions,  page  25-3 

•  SNMP  Agent  Functions,  page  25-4 

•  SNMP  Community  Strings,  page  25-4 
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•  Using  SNMP  to  Access  MIB  Variables,  page  25-4 

•  SNMP  Notifications,  page  25-5 

•  SNMP  iflndex  MIB  Object  Values,  page  25-6 

SNMP  Versions 

This  software  release  supports  these  SNMP  versions: 

•  SNMPvl — The  Simple  Network  Management  Protocol,  a  Full  Internet  Standard,  defined  in 
RFC  1157. 

•  SNMPv2C  replaces  the  Party-based  Administrative  and  Security  Framework  of  SNMPv2Classic 
with  the  community-string-based  Administrative  Framework  of  SNMPv2C  while  retaining  the  bulk 
retrieval  and  improved  error  handling  of  SNMPv2Classic.  It  has  these  features: 

-  SNMPv2 — Version  2  of  the  Simple  Network  Management  Protocol,  a  Draft  Internet  Standard, 
defined  in  RFCs  1902  through  1907. 

-  SNMPv2C — The  community-string-based  Administrative  Framework  for  SNMPv2,  an 
Experimental  Internet  Protocol  defined  in  RFC  1901. 

•  SNMPv3 — Version  3  of  the  SNMP  is  an  interoperable  standards-based  protocol  defined  in  RFCs 
2273  to  2275.  SNMPv3  provides  secure  access  to  devices  by  authenticating  and  encrypting  packets 
over  the  network  and  includes  these  security  features: 

-  Message  integrity — ensuring  that  a  packet  was  not  tampered  with  in  transit 

-  Authentication — determining  that  the  message  is  from  a  valid  source 

-  Encryption — mixing  the  contents  of  a  package  to  prevent  it  from  being  read  by  an  unauthorized 
source. 

X   

Note     To  select  encryption,  enter  the  priv  keyword.  This  keyword  is  available  only  when  the 
cryptographic  (encrypted)  software  image  is  installed. 


Both  SNMPvl  and  SNMPv2C  use  a  community-based  form  of  security.  The  community  of  managers 
able  to  access  the  agent's  MIB  is  defined  by  an  IP  address  access  control  list  and  password. 

SNMPv2C  includes  a  bulk  retrieval  mechanism  and  more  detailed  error  message  reporting  to 
management  stations.  The  bulk  retrieval  mechanism  retrieves  tables  and  large  quantities  of  information, 
minimizing  the  number  of  round-trips  required.  The  SNMPv2C  improved  error-handling  includes 
expanded  error  codes  that  distinguish  different  kinds  of  error  conditions;  these  conditions  are  reported 
through  a  single  error  code  in  SNMPvl.  Error  return  codes  in  SNMPv2C  report  the  error  type. 

SNMPv3  provides  for  both  security  models  and  security  levels.  A  security  model  is  an  authentication 
strategy  set  up  for  a  user  and  the  group  within  which  the  user  resides.  A  security  level  is  the  permitted 
level  of  security  within  a  security  model.  A  combination  of  the  security  level  and  the  security  model 
determine  which  security  mechanism  is  used  when  handling  an  SNMP  packet.  Available  security  models 
are  SNMPvl,  SNMPv2C,  and  SNMPv3. 
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Table  25-1  identifies  the  characteristics  of  the  different  combinations  of  security  models  and  levels. 


Table  25- 1          SNMP  Security  Models  and  Levels 


Model 

Level 

Authentication 

Encryption 

Result 

SNMPvl 

noAuthNoPriv 

Community  string 

No 

Uses  a  community  string  match  for  authentication. 

SNMPv2C 

noAuthNoPriv 

Community  string 

No 

Uses  a  community  string  match  for  authentication. 

SNMPv3 

noAuthNoPriv 

Username 

No 

Uses  a  username  match  for  authentication. 

SNMPv3 

authNoPriv 

MD5  or  SHA 

No 

Provides  authentication  based  on  the  HMAC-MD5 
or  HMAC-SHA  algorithms. 

SNMPv3 

authPriv 
(requires  the 
cryptographic  software 
image) 

MD5  or  SHA 

DES 

Provides  authentication  based  on  the  HMAC-MD5 

or  HMAC-SHA  algorithms. 

Provides  DES  56-bit  encryption  in  addition  to 

authentication  based  on  the  CBC-DES  (DES-56) 

standard. 

You  must  configure  the  SNMP  agent  to  use  the  SNMP  version  supported  by  the  management  station. 
Because  an  agent  can  communicate  with  multiple  managers,  you  can  configure  the  software  to  support 
communications  using  SNMPvl,  SNMPv2C,  or  SNMPv3. 


SNMP  Manager  Functions 

The  SNMP  manager  uses  information  in  the  MIB  to  perform  the  operations  described  in  Table  25-2. 


Table  25-2        SNMP  Operations 


Operation 

Description 

get-request 

Retrieves  a  value  from  a  specific  variable. 

get-next-request 

Retrieves  a  value  from  a  variable  within  a  table.1 

get-bulk-request2 

Retrieves  large  blocks  of  data,  such  as  multiple  rows  in  a  table,  that  would 
otherwise  require  the  transmission  of  many  small  blocks  of  data. 

get-response 

Replies  to  a  get-request,  get-next-request,  and  set-request  sent  by  an  NMS. 

set-request 

Stores  a  value  in  a  specific  variable. 

trap 

An  unsolicited  message  sent  by  an  SNMP  agent  to  an  SNMP  manager  when  some 
event  has  occurred. 

1.  With  this  operation,  an  SNMP  manager  does  not  need  to  know  the  exact  variable  name.  A  sequential  search  is  performed  to 
find  the  needed  variable  from  within  a  table. 

2.  The  get-bulk  command  only  works  with  SNMPv2  or  later. 
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SNMP  Agent  Functions 

The  SNMP  agent  responds  to  SNMP  manager  requests  as  follows: 

•  Get  a  MIB  variable — The  SNMP  agent  begins  this  function  in  response  to  a  request  from  the  NMS. 
The  agent  retrieves  the  value  of  the  requested  MIB  variable  and  responds  to  the  NMS  with  that 
value. 

•  Set  a  MIB  variable — The  SNMP  agent  begins  this  function  in  response  to  a  message  from  the  NMS. 
The  SNMP  agent  changes  the  value  of  the  MIB  variable  to  the  value  requested  by  the  NMS. 

The  SNMP  agent  also  sends  unsolicited  trap  messages  to  notify  an  NMS  that  a  significant  event  has 
occurred  on  the  agent.  Examples  of  trap  conditions  include,  but  are  not  limited  to,  when  a  port  or  module 
goes  up  or  down,  when  spanning-tree  topology  changes  occur,  and  when  authentication  failures  occur. 

SNMP  Community  Strings 

SNMP  community  strings  authenticate  access  to  MIB  objects  and  function  as  embedded  passwords.  In 
order  for  the  NMS  to  access  the  switch,  the  community  string  definitions  on  the  NMS  must  match  at  least 
one  of  the  three  community  string  definitions  on  the  switch. 

A  community  string  can  have  one  of  these  attributes: 

•  Read-only  (RO) — Gives  read  access  to  authorized  management  stations  to  all  objects  in  the  MIB 
except  the  community  strings,  but  does  not  allow  write  access 

•  Read-write  (RW) — Gives  read  and  write  access  to  authorized  management  stations  to  all  objects  in 
the  MIB,  but  does  not  allow  access  to  the  community  strings 

•  When  a  cluster  is  created,  the  command  switch  manages  the  exchange  of  messages  among  member 
switches  and  the  SNMP  application.  The  Network  Assistant  software  appends  the  member  switch 
number  (@esN,  where  N  is  the  switch  number)  to  the  first  configured  RW  and  RO  community 
strings  on  the  command  switch  and  propagates  them  to  the  member  switches.  For  more  information, 
see  Chapter  6,  "Clustering  Switches"  and  see  Getting  Started  with  Cisco  Network  Assistant, 
available  on  Cisco.com. 

Using  SNMP  to  Access  MIB  Variables 

An  example  of  an  NMS  is  the  CiscoWorksnetwork  management  software.  CiscoWorks  2000  software 
uses  the  switch  MIB  variables  to  set  device  variables  and  to  poll  devices  on  the  network  for  specific 
information.  The  results  of  a  poll  can  be  displayed  as  a  graph  and  analyzed  to  troubleshoot 
internetworking  problems,  increase  network  performance,  verify  the  configuration  of  devices,  monitor 
traffic  loads,  and  more. 
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As  shown  in  Figure  25-1,  the  SNMP  agent  gathers  data  from  the  MIB.  The  agent  can  send  traps,  or 
notification  of  certain  events,  to  the  SNMP  manager,  which  receives  and  processes  the  traps.  Traps  alert 
the  SNMP  manager  to  a  condition  on  the  network  such  as  improper  user  authentication,  restarts,  link 
status  (up  or  down),  MAC  address  tracking,  and  so  forth.  The  SNMP  agent  also  responds  to  MIB-related 
queries  sent  by  the  SNMP  manager  in  get-request,  get-next-request,  and  set-request  format. 


Figure  25- 1         SNMP  Network 

NMg  Get-request,  Get-next-request,  Network  device 

Get-bulk,  Set-request  — — 


Get-response,  traps  M'? 
SNMP  Manager  SNMP  Agent 


For  information  on  supported  MIBs  and  how  to  access  them,  see  Appendix  A,  "Supported  MIBs." 


SNMP  Notifications 

SNMP  allows  the  switch  to  send  notifications  to  SNMP  managers  when  particular  events  occur.  SNMP 
notifications  can  be  sent  as  traps  or  inform  requests.  In  command  syntax,  unless  there  is  an  option  in  the 
command  to  select  either  traps  or  informs,  the  keyword  traps  refers  to  either  traps  or  informs,  or  both. 
Use  the  snmp-server  host  command  to  specify  whether  to  send  SNMP  notifications  as  traps  or  informs. 

V   

Note      SNMPvl  does  not  support  informs. 


Traps  are  unreliable  because  the  receiver  does  not  send  an  acknowledgment  when  it  receives  a  trap,  and 
the  sender  cannot  determine  if  the  trap  was  received.  When  an  SNMP  manager  receives  an  inform 
request,  it  acknowledges  the  message  with  an  SNMP  response  protocol  data  unit  (PDU).  If  the  sender 
does  not  receive  a  response,  the  inform  request  can  be  sent  again.  Because  they  can  be  re-sent,  informs 
are  more  likely  than  traps  to  reach  their  intended  destination. 

The  characteristics  that  make  informs  more  reliable  than  traps  also  consume  more  resources  in  the  switch 
and  in  the  network.  Unlike  a  trap,  which  is  discarded  as  soon  as  it  is  sent,  an  inform  request  is  held  in 
memory  until  a  response  is  received  or  the  request  times  out.  Traps  are  sent  only  once,  but  an  inform 
might  be  re-sent  or  retried  several  times.  The  retries  increase  traffic  and  contribute  to  a  higher  overhead 
on  the  network.  Therefore,  traps  and  informs  require  a  trade-off  between  reliability  and  resources.  If  it 
is  important  that  the  SNMP  manager  receive  every  notification,  use  inform  requests.  If  traffic  on  the 
network  or  memory  in  the  switch  is  a  concern  and  notification  is  not  required,  use  traps. 
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SNMP  iflndex  MIB  Object  Values 

In  an  NMS,  the  IF-MIB  generates  and  assigns  an  interface  index  (iflndex)  object  value  that  is  a  unique 
number  greater  than  zero  to  identify  a  physical  or  a  logical  interface.  When  the  switch  reboots  or  the 
switch  software  is  upgraded,  the  switch  uses  this  same  value  for  the  interface.  For  example,  if  the  switch 
assigns  a  port  2  an  iflndex  value  of  10003,  this  value  is  the  same  after  the  switch  reboots. 

The  switch  uses  one  of  the  values  in  Table  25-3  to  assign  an  iflndex  value  to  an  interface: 
Table  25-3        iflndex  Values 


Interface  Type 

iflndex  Range 

SVI1 

1-4999 

EtherChannel 

5000-5012 

Loopback 

5013-5077 

Tunnel 

5078-5142 

Physical  (such  as  Gigabit  Ethernet  or  SFP2-module  interfaces) 

10000-14500 

Null 

14501 

1.    SVI  =  switch  virtual  interface 

2.    SFP  =  small  form-factor  pluggable 

The  switch  might  not  use  sequential  values  within  a  range. 

Configuring  SNMP 

These  sections  contain  this  configuration  information: 

•  Default  SNMP  Configuration,  page  25-7 

•  SNMP  Configuration  Guidelines,  page  25-7 

•  Disabling  the  SNMP  Agent,  page  25-8 

•  Configuring  Community  Strings,  page  25-8 

•  Configuring  SNMP  Groups  and  Users,  page  25-10 

•  Configuring  SNMP  Notifications,  page  25-12 

•  Setting  the  Agent  Contact  and  Location  Information,  page  25-15 

•  Limiting  TFTP  Servers  Used  Through  SNMP,  page  25-16 

•  SNMP  Examples,  page  25-16 
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Default  SNMP  Configuration 

Table  25-4  shows  the  default  SNMP  configuration. 


Table  25-4         Default  SNMP  Configuration 


Feature 

Default  Setting 

SNMP  agent 

Disabled1. 

SNMP  trap  receiver 

None  configured. 

SNMP  traps 

None  enabled  except  the  trap  for  TCP  connections  (tty). 

SNMP  version 

If  no  version  keyword  is  present,  the  default  is  Version  1 . 

SNMPv3  authentication 

If  no  keyword  is  entered,  the  default  is  the  noauth  (noAuthNoPriv) 
security  level. 

SNMP  notification  type 

If  no  type  is  specified,  all  notifications  are  sent. 

1,    This  is  the  default  when  the  switch  starts  and  the  startup  configuration  does  not  have  any  snmp-server  global  configuration 
commands. 


SNMP  Configuration  Guidelines 

If  the  switch  starts  and  the  switch  startup  configuration  has  at  least  one  snmp-server  global 
configuration  command,  the  SNMP  agent  is  enabled. 

An  SNMP  group  is  a  table  that  maps  SNMP  users  to  SNMP  views.  An  SNMP  user  is  a  member  of  an 
SNMP  group.  An  SNMP  host  is  the  recipient  of  an  SNMP  trap  operation.  An  SNMP  engine  ID  is  a  name 
for  the  local  or  remote  SNMP  engine. 

When  configuring  SNMP,  follow  these  guidelines: 

•  When  configuring  an  SNMP  group,  do  not  specify  a  notify  view.  The  snmp-server  host  global 
configuration  command  autogenerates  a  notify  view  for  the  user  and  then  adds  it  to  the  group 
associated  with  that  user.  Modifying  the  group's  notify  view  affects  all  users  associated  with  that 
group.  See  the  Cisco  IOS  Configuration  Fundamentals  Command  Reference,  Release  12.2  for 
information  about  when  you  should  configure  notify  views. 

•  To  configure  a  remote  user,  specify  the  IP  address  or  port  number  for  the  remote  SNMP  agent  of  the 
device  where  the  user  resides. 

•  Before  you  configure  remote  users  for  a  particular  agent,  configure  the  SNMP  engine  ID,  using  the 
snmp-server  enginelD  global  configuration  with  the  remote  option.  The  remote  agent's  SNMP 
engine  ID  and  user  password  are  used  to  compute  the  authentication  and  privacy  digests.  If  you  do 
not  configure  the  remote  engine  ID  first,  the  configuration  command  fails. 

•  When  configuring  SNMP  informs,  you  need  to  configure  the  SNMP  engine  ID  for  the  remote  agent 
in  the  SNMP  database  before  you  can  send  proxy  requests  or  informs  to  it. 

•  If  a  local  user  is  not  associated  with  a  remote  host,  the  switch  does  not  send  informs  for  the  auth 
(aufhNoPriv)  and  the  priv  (authPriv)  authentication  levels. 

•  Changing  the  value  of  the  SNMP  engine  ID  has  important  side  effects.  A  user's  password  (entered 
on  the  command  line)  is  converted  to  an  MD5  or  SHA  security  digest  based  on  the  password  and  the 
local  engine  ID.  The  command-line  password  is  then  destroyed,  as  required  by  RFC  2274.  Because 
of  this  deletion,  if  the  value  of  the  engine  ID  changes,  the  security  digests  of  SNMPv3  users  become 
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invalid,  and  you  need  to  reconfigure  SNMP  users  by  using  the  snmp-server  user  username  global 
configuration  command.  Similar  restrictions  require  the  reconfiguration  of  community  strings  when 
the  engine  ID  changes. 


Disabling  the  SNMP  Agent 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  disable  the  SNMP  agent: 


Command 
Step  1     configure  terminal 
Step  2     no  snmp-server 
Step  3  end 

Step  4     show  running-config 

Step  5     copy  running-config  startup-config 


Purpose 

Enter  global  configuration  mode. 
Disable  the  SNMP  agent  operation. 
Return  to  privileged  EXEC  mode. 
Verify  your  entries. 

(Optional)  Save  your  entries  in  the  configuration  file. 


The  no  snmp-server  global  configuration  command  disables  all  running  versions  (Version  1, 
Version  2C,  and  Version  3)  on  the  device.  No  specific  Cisco  IOS  command  exists  to  enable  SNMP.  The 
first  snmp-server  global  configuration  command  that  you  enter  enables  all  versions  of  SNMP. 


Configuring  Community  Strings 

You  use  the  SNMP  community  string  to  define  the  relationship  between  the  SNMP  manager  and  the 
agent.  The  community  string  acts  like  a  password  to  permit  access  to  the  agent  on  the  switch.  Optionally, 
you  can  specify  one  or  more  of  these  characteristics  associated  with  the  string: 

•  An  access  list  of  IP  addresses  of  the  SNMP  managers  that  are  permitted  to  use  the  community  string 
to  gain  access  to  the  agent 

•  A  MIB  view,  which  defines  the  subset  of  all  MIB  objects  accessible  to  the  given  community 

•  Read  and  write  or  read-only  permission  for  the  MIB  objects  accessible  to  the  community 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  community  string  on  the  switch: 


Command 


Purpose 


Step  1 
Step  2 


configure  terminal 


Enter  global  configuration  mode. 


snmp-server  community  string  [view 
view-name]  [ro  I  rw]  [access-list-number] 


Configure  the  community  string. 

•  For  string,  specify  a  string  that  acts  like  a  password  and 
permits  access  to  the  SNMP  protocol.  You  can  configure  one 
or  more  community  strings  of  any  length. 

•  (Optional)  For  view,  specify  the  view  record  accessible  to  the 
community. 

•  (Optional)  Specify  either  read-only  (ro)  if  you  want 
authorized  management  stations  to  retrieve  MIB  objects,  or 
specify  read-write  (rw)  if  you  want  authorized  management 
stations  to  retrieve  and  modify  MIB  objects.  By  default,  the 
community  string  permits  read-only  access  to  all  objects. 

•  (Optional)  For  access-list-number,  enter  an  IP  standard  access 
list  numbered  from  1  to  99  and  1300  to  1999. 


Step  3 


access-list  access-list-number  {deny  I 
permit}  source  [source-wildcard] 


(Optional)  If  you  specified  an  IP  standard  access  list  number  in 
Step  2,  then  create  the  list,  repeating  the  command  as  many  times 
as  necessary. 

•  For  access-list-number,  enter  the  access  list  number  specified 
in  Step  2. 

•  The  deny  keyword  denies  access  if  the  conditions  are 
matched.  The  permit  keyword  permits  access  if  the  conditions 
are  matched. 

•  For  source,  enter  the  IP  address  of  the  SNMP  managers  that 
are  permitted  to  use  the  community  string  to  gain  access  to  the 
agent. 

•  (Optional)  For  source-wildcard,  enter  the  wildcard  bits  in 
dotted  decimal  notation  to  be  applied  to  the  source.  Place  ones 
in  the  bit  positions  that  you  want  to  ignore. 

Recall  that  the  access  list  is  always  terminated  by  an  implicit  deny 
statement  for  everything. 


Step  4 
Step  5 
Step  6 


end 

show  running-config 


Return  to  privileged  EXEC  mode. 
Verify  your  entries. 


copy  running-config  startup -config 


(Optional)  Save  your  entries  in  the  configuration  file. 


%     

Note      To  disable  access  for  an  SNMP  community,  set  the  community  string  for  that  community  to  the  null 
string  (do  not  enter  a  value  for  the  community  string). 


To  remove  a  specific  community  string,  use  the  no  snmp-server  community  string  global  configuration 
command. 
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This  example  shows  how  to  assign  the  string  comaccess  to  SNMP,  to  allow  read-only  access,  and  to 
specify  that  IP  access  list  4  can  use  the  community  string  to  gain  access  to  the  switch  SNMP  agent: 

Switch (config) #  snmp-server  community  comaccess  ro  4 


Configuring  SNMP  Groups  and  Users 

You  can  specify  an  identification  name  (engine  ID)  for  the  local  or  remote  SNMP  server  engine  on  the 
switch.  You  can  configure  an  SNMP  server  group  that  maps  SNMP  users  to  SNMP  views,  and  you  can 
add  new  users  to  the  SNMP  group. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  SNMP  on  the  switch: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

snmp-server  enginelD  {local  engineid-string 
1  remote  ip-address  [udp-port  port-number] 
engineid-string} 

Configure  a  name  for  either  the  local  or  remote  copy  of  SNMP. 

•  The  engineid-string  is  a  24-character  ID  string  with  the  name 
of  the  copy  of  SNMP.  You  need  not  specify  the  entire 
24-character  engine  ID  if  it  has  trailing  zeros.  Specify  only  the 
portion  of  the  engine  ID  up  to  the  point  where  only  zeros 
remain  in  the  value.  For  example,  to  configure  an  engine  ID  of 
123400000000000000000000,  you  can  enter  this: 
snmp-server  enginelD  local  1234 

•  If  you  select  remote,  specify  the  ip-address  of  the  device  that 
contains  the  remote  copy  of  SNMP  and  the  optional  User 
Datagram  Protocol  (UDP)  port  on  the  remote  device.  The 
default  is  162. 

25-10 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  25    Configuring  SNMP 


Configuring  SNMP  ■ 


Command 


Purpose 


Step  3 


snmp-server  group  groupname  {vl  I  v2c  I  v3 
{auth  I  noauth  I  priv} }  [read  readview] 
[write  writeview]  [notify  notifyview]  [access 
access-list] 


Configure  a  new  SNMP  group  on  the  remote  device. 

•  For  groupname,  specify  the  name  of  the  group. 

•  Specify  a  security  model: 


-  vl  is  the  least  secure  of  the  possible  security  models. 

-  v2c  is  the  second  least  secure  model.  It  allows 
transmission  of  informs  and  integers  twice  the  normal 
width. 

-  v3,  the  most  secure,  requires  you  to  select  an 
authentication  level: 

auth — Enables  the  Message  Digest  5  (MD5)  and  the 
Secure  Hash  Algorithm  (SHA)  packet  authentication. 

noauth — Enables  the  noAuthNoPriv  security  level.  This 
is  the  default  if  no  keyword  is  specified. 

priv — Enables  Data  Encryption  Standard  (DES)  packet 
encryption  (also  called  privacy). 

Note     The  priv  keyword  is  available  only  when  the 
cryptographic  software  image  is  installed. 

•  (Optional)  Enter  read  readview  with  a  string  (not  to  exceed  64 
characters)  that  is  the  name  of  the  view  in  which  you  can  only 
view  the  contents  of  the  agent. 

•  (Optional)  Enter  write  writeview  with  a  string  (not  to  exceed 
64  characters)  that  is  the  name  of  the  view  in  which  you  enter 
data  and  configure  the  contents  of  the  agent. 

•  (Optional)  Enter  notify  notifyview  with  a  string  (not  to  exceed 
64  characters)  that  is  the  name  of  the  view  in  which  you 
specify  a  notify,  inform,  or  trap. 

•  (Optional)  Enter  access  access-list  with  a  string  (not  to  exceed 
64  characters)  that  is  the  name  of  the  access  list. 
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Command 

Purpose 

Step  4 

snmp-server  user  username  groupname 
{remote  host  [udp-port port}}  {vl  [access 
access-list}  1  v2c  [access  access-list}  1  v3 
[encrypted]  [access  access-list}  [auth  {md5  1 
sha}  auth- pas  sword} } 

Add  a  new  user  for  an  SNMP  group. 

•  The  username  is  the  name  of  the  user  on  the  host  that  connects 
to  the  agent. 

•  The  groupname  is  the  name  of  the  group  to  which  the  user  is 
associated. 

• 

Enter  remote  to  specify  a  remote  SNMP  entity  to  which  the 
user  belongs  and  the  hostname  or  IP  address  of  that  entity  with 
the  optional  UDP  port  number.  The  default  is  162. 

• 

Enter  the  SNMP  version  number  (vl,  v2c,  or  v3).  If  you  enter 
v3,  you  have  these  additional  options: 

-  encrypted  specifies  that  the  password  appears  in 
encrypted  format.  This  keyword  is  available  only  when 
the  v3  keyword  is  specified. 

-  auth  is  an  authentication  level  setting  session  that  can  be 
either  the  HMAC-MD5-96  (md5)  or  the  HMAC-SHA-96 
(sha)  authentication  level  and  requires  a  password  string 
(not  to  exceed  64  characters). 

• 

(Optional)  Enter  access  access-list  with  a  string  (not  to  exceed 
64  characters)  that  is  the  name  of  the  access  list. 

Step  5 

end 

Return  to  privileged  EXEC  mode. 

Step  6 

show  running-config 

Verify  your  entries. 

Step  7 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Configuring  SNMP  Notifications 

A  trap  manager  is  a  management  station  that  receives  and  processes  traps.  Traps  are  system  alerts  that 
the  switch  generates  when  certain  events  occur.  By  default,  no  trap  manager  is  defined,  and  no  traps  are 
sent.  Switches  running  this  Cisco  IOS  release  can  have  an  unlimited  number  of  trap  managers. 

^,   

Note      Many  commands  use  the  word  traps  in  the  command  syntax.  Unless  there  is  an  option  in  the  command 
to  select  either  traps  or  informs,  the  keyword  traps  refers  to  either  traps,  informs,  or  both.  Use  the 
snmp-server  host  global  configuration  command  to  specify  whether  to  send  SNMP  notifications  as 
traps  or  informs. 


Table  25-5  describes  the  supported  switch  traps  (notification  types).  You  can  enable  any  or  all  of  these 
traps  and  configure  a  trap  manager  to  receive  them. 


Table  25-5        Switch  Notification  Types 


Notification  Type 
Keyword 

Description 

bgp 

Generates  Border  Gateway  Protocol  (BGP)  state  change  traps.  This  option  is 
only  available  when  the  enhanced  multilayer  image  is  installed. 

bridge 

Generates  STP  bridge  MIB  traps. 
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Table  25-5        Switch  Notification  Types  (continued) 


Notification  Type 
Keyword 

Description 

cluster 

Generates  a  trap  when  the  cluster  configuration  changes. 

config 

Generates  a  trap  for  SNMP  configuration  changes. 

copy-conflg 

Generates  a  trap  for  SNMP  copy  configuration  changes. 

entity 

Generates  a  trap  for  SNMP  entity  changes. 

envmon 

Generates  environmental  monitor  traps.  You  can  enable  any  or  all  of  these 
environmental  traps:  fan,  shutdown,  status,  supply,  temperature. 

flash 

Generates  SNMP  FLASH  notifications. 

hsrp 

oenerai.es  a  trap  lor  nui  oLanuoy  ivouier  rroiocoi  ^noKrj  cnanges. 

ipmulticast 

Generates  a  trap  for  IP  multicast  routing  changes. 

mac-notification 

Generates  a  trap  for  MAC  address  notifications. 

msdp 

Generates  a  trap  for  Multicast  Source  Discovery  Protocol  (MSDP)  changes. 

ospf 

Generates  a  trap  for  Open  Shortest  Path  First  (OSPF)  changes.  You  can 
enable  any  or  all  of  these  traps:  Cisco  specific,  errors,  link-state 
advertisement,  rate  limit,  retransmit,  and  state  changes. 

pirn 

Generates  a  trap  for  Protocol-Independent  Multicast  (PIM)  changes.  You  can 
enable  any  or  all  of  these  traps:  invalid  PIM  messages,  neighbor  changes,  and 
rendezvous  point  (RP)-mapping  changes. 

port-security 

Generates  SNMP  port  security  traps.  You  can  also  set  a  maximum  trap  rate 
per  second.  The  range  is  from  0  to  1000;  the  default  is  0,  which  means  that 
there  is  no  rate  limit. 

rtr 

Generates  a  trap  for  the  SNMP  Response  Time  Reporter  (RTR). 

snmp 

Generates  a  trap  for  SNMP-type  notifications  for  authentication,  cold  start, 
warm  sian,  iiiik  up  or  iiiik  uown. 

G  t/tl'ltl -J'llllt  1"  i  1 1 

a  LUI II1-CUI11I  Ul 

vjciiciaics  a  nap  101  oiNivir  siuiin-Loiiuoi.  iou  Lan  aiso  sci  a  iiiaAiiiium  nap 
rate  per  second.  The  range  is  from  0  to  1000;  the  default  is  0  (no  limit  is 
imposed;  a  trap  is  sent  at  every  occurrence). 

stpx 

Generates  SNMP  STP  Extended  MIB  traps. 

syslog 

Generates  SNMP  syslog  traps. 

tty 

Generates  a  trap  for  TCP  connections.  This  trap  is  enabled  by  default. 

vlan-membership 

Generates  a  trap  for  SNMP  VLAN  membership  changes. 

vlancreate 

Generates  SNMP  VLAN  created  traps. 

vlandelete 

Generates  SNMP  VLAN  deleted  traps. 

vtp 

Generates  a  trap  for  VLAN  Trunking  Protocol  (VTP)  changes. 

^   

Note       To  enable  the  sending  of  SNMP  inform  notifications,  use  the  snmp-server  enable  traps  global 

configuration  command  combined  with  the  snmp-server  host  host-addr  informs  global  configuration 
command. 
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You  can  use  the  snmp-server  host  global  configuration  command  to  a  specific  host  to  receive  the 
notification  types  listed  in  Table  25-5. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  to  send  traps  or  informs 
to  a  host: 


Command 


Purpose 


Step  1 
Step  2 

Step  3 


configure  terminal 


Enter  global  configuration  mode. 


snmp-server  enginelD  remote 

ip-address  engineid-string 

snmp-server  user  username 
groupname  {remote  host  [udp-port 
port]}  {vl  [access  access-list]  I  v2c 
[access  access-list]  I  v3  [encrypted] 
[access  access-list]  [auth  {md5  I  sha} 
auth-password] } 


Specify  the  engine  ID  for  the  remote  host. 

Configure  an  SNMP  user  to  be  associated  with  the  remote  host  created  in 
Step  2. 

Note     You  cannot  configure  a  remote  user  for  an  address  without  first 
configuring  the  engine  ID  for  the  remote  host.  Otherwise,  you 
receive  an  error  message,  and  the  command  is  not  executed. 


Step  4 


Step  5 


snmp-server  group  groupname  {vl  I 
v2c  I  v3  { auth  I  noauth  I  priv } }  [read 
readview]  [write  writeview]  [notify 
notifyview]  [access  access-list] 

snmp-server  host  host-addr 
[informs  I  traps]  [version  { 1  I  2c  I  3 
{ auth  I  noauth  I  priv  J }  ] 

community-string  [notification-type] 


Configure  an  SNMP  group. 


Specify  the  recipient  of  an  SNMP  trap  operation. 

•  For  host-addr,  specify  the  name  or  Internet  address  of  the  host  (the 
targeted  recipient). 

•  (Optional)  Enter  informs  to  send  SNMP  informs  to  the  host. 

•  (Optional)  Enter  traps  (the  default)  to  send  SNMP  traps  to  the  host. 

•  (Optional)  Specify  the  SNMP  version  (1,  2c,  or  3).  SNMPvl  does 
not  support  informs. 

•  (Optional)  For  Version  3,  select  authentication  level  auth,  noauth, 
or  priv. 

Note     The  priv  keyword  is  available  only  when  the  cryptographic 
software  image  is  installed. 

•  For  community-string,  when  version  1  or  version  2c  is  specified, 
enter  the  password-like  community  string  sent  with  the  notification 
operation.  When  version  3  is  specified,  enter  the  SNMPv3  username. 

•  (Optional)  For  notification-type,  use  the  keywords  listed  in 

Table  25-5  on  page  25-12.  If  no  type  is  specified,  all  notifications  are 
sent. 


Step  6 


snmp-server  enable  traps 

notification-types 


Step  7       snmp-server  trap-source  interface-id 


Enable  the  switch  to  send  traps  or  informs  and  specify  the  type  of 
notifications  to  be  sent.  For  a  list  of  notification  types,  see  Table  25-5  on 
page  25-12,  or  enter  snmp-server  enable  traps  ? 

To  enable  multiple  types  of  traps,  you  must  enter  a  separate  snmp-server 
enable  traps  command  for  each  trap  type. 

(Optional)  Specify  the  source  interface,  which  provides  the  IP  address  for 
the  trap  message.  This  command  also  sets  the  source  IP  address  for 
informs. 
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Step  11 
Step  12 


Command 

Purpose 

snmp-server  queue-length  length 

(Optional)  Establish  the  message  queue  length  for  each  trap  host.  The 
range  is  1  to  1000;  the  default  is  10. 

snmp-server  trap-timeout  seconds 

(Optional)  Define  how  often  to  resend  trap  messages.  The  range  is  1  to 
1000;  the  default  is  30  seconds. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

The  snmp-server  host  command  specifies  which  hosts  receive  the  notifications.  The  snmp-server 
enable  trap  command  globally  enables  the  mechanism  for  the  specified  notification  (for  traps  and 
informs).  To  enable  a  host  to  receive  an  inform,  you  must  configure  an  snmp-server  host  informs 
command  for  the  host  and  globally  enable  informs  by  using  the  snmp-server  enable  traps  command. 

To  remove  the  specified  host  from  receiving  traps,  use  the  no  snmp-server  host  host  global 
configuration  command.  The  no  snmp-server  host  command  with  no  keywords  disables  traps,  but  not 
informs,  to  the  host.  To  disable  informs,  use  the  no  snmp-server  host  informs  global  configuration 
command.  To  disable  a  specific  trap  type,  use  the  no  snmp-server  enable  traps  notification-types 
global  configuration  command. 


Setting  the  Agent  Contact  and  Location  Information 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  set  the  system  contact  and  location  of  the 
SNMP  agent  so  that  these  descriptions  can  be  accessed  through  the  configuration  file: 


Step  1 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

snmp-server  contact  text 

Set  the  system  contact  string. 
For  example: 

snmp-server  contact  Dial  System  Operator  at  beeper  21555. 

snmp-server  location  text 

Set  the  system  location  string. 
For  example: 

snmp-server  location  Building  3 /Room  222 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  3 


Step  4 
Step  5 
Step  6 
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Limiting  TFTP  Servers  Used  Through  SNMP 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  limit  the  TFTP  servers  used  for  saving  and 
loading  configuration  files  through  SNMP  to  the  servers  specified  in  an  access  list: 


Step  1 
Step  2 


Step  3 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

snmp-server  tftp-server-list 

access-list-number 

Limit  TFTP  servers  used  for  configuration  file  copies  through 
SNMP  to  the  servers  in  the  access  list. 

For  access-list-number,  enter  an  IP  standard  access  list  numbered 
from  1  to  99  and  1300  to  1999. 

access-list  access-list-number  {deny  I 
permit}  source  [source-wildcard] 

Create  a  standard  access  list,  repeating  the  command  as  many  times 
as  necessary. 

•  For  access-list-number,  enter  the  access  list  number  specified 
in  otep  Z. 

•  The  deny  keyword  denies  access  if  the  conditions  are  matched. 
The  permit  keyword  permits  access  if  the  conditions  are 
matched. 

•  For  source,  enter  the  IP  address  of  the  TFTP  servers  that  can 
access  the  switch. 

•  (Optional)  For  source-wildcard,  enter  the  wildcard  bits,  in 
dotted  decimal  notation,  to  be  applied  to  the  source.  Place  ones 
in  the  bit  positions  that  you  want  to  ignore. 

Recall  that  the  access  list  is  always  terminated  by  an  implicit  deny 
statement  for  everything. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

SNMP  Examples 

This  example  shows  how  to  enable  all  versions  of  SNMP.  The  configuration  permits  any  SNMP  manager 
to  access  all  objects  with  read-only  permissions  using  the  community  string  public.  This  configuration 
does  not  cause  the  switch  to  send  any  traps. 

Switch (config) #  snmp-server  community  public 

This  example  shows  how  to  permit  any  SNMP  manager  to  access  all  objects  with  read-only  permission 
using  the  community  string  public.  The  switch  also  sends  VTP  traps  to  the  hosts  192.180.1.111  and 
192.180.1.33  using  SNMPvl  and  to  the  host  192.180.1.27  using  SNMPv2C.  The  community  string 
public  is  sent  with  the  traps. 

Switch (config) #  snmp-server  community  public 
Switch (config) #  snmp-server  enable  traps  vtp 

Switch ( config) #  snmp-server  host  192.180.1.27  version  2c  public 
Switch (config) #  snmp-server  host  192.180.1.111  version  1  public 
Switch (config) #  snmp-server  host  192.180.1.33  public 
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This  example  shows  how  to  allow  read-only  access  for  all  objects  to  members  of  access  list  4  that  use 
the  comaccess  community  string.  No  other  SNMP  managers  have  access  to  any  objects.  SNMP 
Authentication  Failure  traps  are  sent  by  SNMPv2C  to  the  host  cisco.com  using  the  community  string 
public. 

Switch (config) #  snmp-server  community  comaccess  ro  4 

Switch (config) #  snmp-server  enable  traps  snmp  authentication 

Switch (config) #  snmp-server  host  cisco.com  version  2c  public 

This  example  shows  how  to  send  Entity  MIB  traps  to  the  host  cisco.com.  The  community  string  is 
restricted.  The  first  line  enables  the  switch  to  send  Entity  MIB  traps  in  addition  to  any  traps  previously 
enabled.  The  second  line  specifies  the  destination  of  these  traps  and  overwrites  any  previous 
snmp-server  host  commands  for  the  host  cisco.com. 

Switch (config) #  snmp-server  enable  traps  entity 

Switch (config) #  snmp-server  host  cisco.com  restricted  entity 

This  example  shows  how  to  enable  the  switch  to  send  all  traps  to  the  host  myhost.cisco.com  using  the 
community  string  public: 

Switch (config) #  snmp-server  enable  traps 

Switch (config) #  snmp-server  host  myhost.cisco.com  public 

This  example  shows  how  to  associate  a  user  with  a  remote  host  and  to  send  auth  (authNoPriv) 
authentication-level  informs  when  the  user  enters  global  configuration  mode: 

Switch(config) #  snmp-server  enginelD  remote  192.180.1.27  00000063000100alc0b4011b 

Switch (config) #  snmp-server  group  authgroup  v3  auth 

Switch (config) #  snmp-server  user  authuser  authgroup  remote  192.180.1.27  v3  auth  md5 
mypassword 

Switch ( config) #  snmp-server  user  authuser  authgroup  v3  auth  md5  mypassword 

Switch (config) #  snmp-server  host  192.180.1.27  informs  version  3  auth  authuser  config 

Switch (config) #  snmp-server  enable  traps 

Switch (config) #  snmp-server  inform  retries  0 


Displaying  SNMP  Status 

To  display  SNMP  input  and  output  statistics,  including  the  number  of  illegal  community  string  entries, 
errors,  and  requested  variables,  use  the  show  snmp  privileged  EXEC  command.  You  also  can  use  the 
other  privileged  EXEC  commands  in  Table  25-6  to  display  SNMP  information.  For  information  about 
the  fields  in  the  displays,  see  the  Cisco  IOS  Configuration  Fundamentals  Command  Reference,  Release 
12.2. 


Table  25-6         Commands  for  Displaying  SNMP  Information 


Feature 

Default  Setting 

show  snmp 

Displays  SNMP  statistics. 

show  snmp  enginelD  [local  1  remote] 

Displays  information  on  the  local  SNMP  engine  and  all 
remote  engines  that  have  been  configured  on  the  device. 

show  snmp  group 

Displays  information  on  each  SNMP  group  on  the  network. 

show  snmp  pending 

Displays  information  on  pending  SNMP  requests. 

show  snmp  sessions 

Displays  information  on  the  current  SNMP  sessions. 

show  snmp  user 

Displays  information  on  each  SNMP  user  name  in  the 
SNMP  users  table. 
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CHAPTER 


Configuring  Network  Security  with  ACLs 


This  chapter  describes  how  to  configure  network  security  on  the  switch  by  using  access  control  lists 
(ACLs),  which  in  commands  and  tables  are  also  referred  to  as  access  lists. 

%   

Note      Information  in  this  chapter  about  IP  ACLs  is  specific  to  IP  Version  4  (IPv4). 


For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release,  see  the  "Configuring  IP  Services"  section  in  the  "IP  Addressing  and  Services" 
chapter  of  the  Cisco  IOS  IP  Configuration  Guide,  Release  12.2,  and  the  Cisco  IOS  IP  Command 
Reference,  Volume  1  of  3:  Addressing  and  Services,  Release  12.2. 

This  chapter  consists  of  these  sections: 

•  Understanding  ACLs,  page  26-1 

•  Configuring  IPv4  ACLs,  page  26-5 

•  Creating  Named  MAC  Extended  ACLs,  page  26-20 

•  Configuring  VLAN  Maps,  page  26-22 

•  Displaying  IPv4  ACL  Configuration,  page  26-29 

Understanding  ACLs 

Packet  filtering  can  help  limit  network  traffic  and  restrict  network  use  by  certain  users  or  devices.  ACLs 
filter  traffic  as  it  passes  through  a  switch  and  permit  or  deny  packets  crossing  specified  interfaces  or 
VLANs.  An  ACL  is  a  sequential  collection  of  permit  and  deny  conditions  that  apply  to  packets.  When  a 
packet  is  received  on  an  interface,  the  switch  compares  the  fields  in  the  packet  against  any  applied  ACLs 
to  verify  that  the  packet  has  the  required  permissions  to  be  forwarded,  based  on  the  criteria  specified  in 
the  access  lists.  One  by  one,  it  tests  packets  against  the  conditions  in  an  access  list.  The  first  match 
decides  whether  the  switch  accepts  or  rejects  the  packets.  Because  the  switch  stops  testing  after  the  first 
match,  the  order  of  conditions  in  the  list  is  critical.  If  no  conditions  match,  the  switch  rejects  the  packet. 
If  there  are  no  restrictions,  the  switch  forwards  the  packet;  otherwise,  the  switch  drops  the  packet.  The 
switch  can  use  ACLs  on  all  packets  it  forwards,  including  packets  bridged  within  a  VLAN. 

You  configure  access  lists  on  a  switch  to  provide  basic  security  for  your  network.  If  you  do  not  configure 
ACLs,  all  packets  passing  through  the  switch  could  be  allowed  onto  all  parts  of  the  network.  You  can 
use  ACLs  to  control  which  hosts  can  access  different  parts  of  a  network  or  to  decide  which  types  of 
traffic  are  forwarded  or  blocked.  For  example,  you  can  allow  e-mail  traffic  to  be  forwarded  but  not 
Telnet  traffic. 
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An  ACL  contains  an  ordered  list  of  access  control  entries  (ACEs).  Each  ACE  specifies  permit  or  deny 
and  a  set  of  conditions  the  packet  must  satisfy  in  order  to  match  the  ACE.  The  meaning  of  permit  or  deny 
depends  on  the  context  in  which  the  ACL  is  used. 

The  switch  supports  IP  ACLs  and  Ethernet  (MAC)  ACLs: 

•  IP  ACLs  filter  IPv4  traffic,  including  TCP,  User  Datagram  Protocol  (UDP),  Internet  Group 
Management  Protocol  (IGMP),  and  Internet  Control  Message  Protocol  (ICMP). 

•  Ethernet  ACLs  filter  non-IP  traffic. 

This  switch  also  supports  quality  of  service  (QoS)  classification  ACLs.  For  more  information,  see  the 
"Classification  Based  on  QoS  ACLs"  section  on  page  27-7. 

These  sections  contain  this  conceptual  information: 

•  Supported  ACLs,  page  26-2 

•  Handling  Fragmented  and  Unfragmented  Traffic,  page  26-4 

Supported  ACLs 

The  switch  supports  two  applications  of  ACLs  to  filter  traffic: 

•  Port  ACLs  access-control  traffic  entering  a  Layer  2  interface.  The  switch  does  not  support  port 
ACLs  in  the  outbound  direction.  You  can  apply  only  one  IP  access  list  and  one  MAC  access  list  to 
a  Layer  2  interface.  For  more  information,  see  the  "Port  ACLs"  section  on  page  26-2. 

•  VLAN  ACLs  or  VLAN  maps  access-control  all  packets  (bridged  and  routed).  You  can  use  VLAN 
maps  to  filter  traffic  between  devices  in  the  same  VLAN.  VLAN  maps  are  configured  to  provide 
access  control  based  on  Layer  3  addresses  for  IPv4.  Unsupported  protocols  are  access-controlled 
through  MAC  addresses  using  Ethernet  ACEs.  After  a  VLAN  map  is  applied  to  a  VLAN,  all  packets 
(routed  or  bridged)  entering  the  VLAN  are  checked  against  the  VLAN  map.  Packets  can  either  enter 
the  VLAN  through  a  switch  port  or  through  a  routed  port  after  being  routed.  For  more  information, 
see  the  "VLAN  Maps"  section  on  page  26-3. 

You  can  use  input  port  ACLs  and  VLAN  maps  on  the  same  switch.  However,  a  port  ACL  takes 
precedence  over  a  VLAN  map.  When  an  input  port  ACL  is  applied  to  an  interface  that  belongs  to  a 
VLAN  that  has  a  VLAN  map  applied,  incoming  packets  received  at  the  interface  are  filtered  by  the  port 
ACL.  Other  packets  are  filtered  by  the  VLAN  map. 

Port  ACLs 

Port  ACLs  are  ACLs  that  are  applied  to  Layer  2  interfaces  on  a  switch.  Port  ACLs  are  supported  only 
on  physical  interfaces  and  not  on  EtherChannel  interfaces  and  can  be  applied  only  on  interfaces  in  the 
inbound  direction.  These  access  lists  are  supported: 

•  Standard  IP  access  lists  using  source  addresses 

•  Extended  IP  access  lists  using  source  and  destination  addresses  and  optional  protocol  type 
information 

•  MAC  extended  access  lists  using  source  and  destination  MAC  addresses  and  optional  protocol  type 
information 

The  switch  examines  ACLs  associated  with  all  inbound  features  configured  on  a  given  interface  and 
permits  or  denies  packet  forwarding  based  on  how  the  packet  matches  the  entries  in  the  ACL.  In  this 
way,  ACLs  control  access  to  a  network  or  to  part  of  a  network.  Figure  26-1  is  an  example  of  using  port 
ACLs  to  control  access  to  a  network  when  all  servers  are  in  the  same  VLAN.  ACLs  applied  at  the  Layer 
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2  input  would  allow  Blade  Server  A  to  access  the  Human  Resources  network,  but  prevent  Blade  Server 
B  from  accessing  the  same  network.  Port  ACLs  can  only  be  applied  to  Layer  2  interfaces  in  the  inbound 
direction. 


Figure  26-1 


Using  ACLs  to  Control  Traffic  to  a  Network 


Blade  Server  A 


Blade  Server  B 


Human 
Resources 
network 


Research  & 
Development 
network 


X  =  ACL  denying  traffic  from  Blade  Server  B  - 
and  permitting  traffic  from  Blade  Server  A  | 
->•  =  Packet 


When  you  apply  a  port  ACL  to  a  trunk  port,  the  ACL  filters  traffic  on  all  VLANs  present  on  the  trunk 
port.  When  you  apply  a  port  ACL  to  a  port  with  voice  VLAN,  the  ACL  filters  traffic  on  both  data  and 
voice  VLANs. 

With  port  ACLs,  you  can  filter  IP  traffic  by  using  IP  access  lists  and  non-IP  traffic  by  using  MAC 
addresses.  You  can  filter  both  IP  and  non-IP  traffic  on  the  same  Layer  2  interface  by  applying  both  an 
IP  access  list  and  a  MAC  access  list  to  the  interface. 

%   

Note  You  cannot  apply  more  than  one  IP  access  list  and  one  MAC  access  list  to  a  Layer  2  interface.  If  an  IP 
access  list  or  MAC  access  list  is  already  configured  on  a  Layer  2  interface  and  you  apply  a  new  IP  access 
list  or  MAC  access  list  to  the  interface,  the  new  ACL  replaces  the  previously  configured  one. 


VLAN  Maps 

You  use  VLAN  ACLs  or  VLAN  maps  to  filter  traffic  between  devices  in  the  same  VLAN.  When  a 
VLAN  map  is  applied  to  a  VLAN,  all  packets  being  forwarded  in  the  VLAN  are  checked  against  the 
VLAN  map. 

Use  VLAN  maps  for  security  packet  filtering.  VLAN  maps  are  not  defined  by  direction  (input  or  output). 
You  can  configure  VLAN  maps  to  match  Layer  3  addresses  for  IPv4  traffic. 

All  non-IP  protocols  are  access-controlled  through  MAC  addresses  and  Ethertype  using  MAC  VLAN 
maps.  (IP  traffic  is  not  access  controlled  by  MAC  VLAN  maps.)  You  can  enforce  VLAN  maps  only  on 
packets  going  through  the  switch;  you  cannot  enforce  VLAN  maps  on  traffic  between  hosts  on  a  hub  or 
on  another  switch  connected  to  this  switch. 
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With  VLAN  maps,  forwarding  of  packets  is  permitted  or  denied,  based  on  the  action  specified  in  the 
map.  Figure  26-2  shows  how  a  VLAN  map  is  applied  to  prevent  a  specific  type  of  traffic  from  Host  A 
in  VLAN  10  from  being  forwarded.  You  can  apply  only  one  VLAN  map  to  a  VLAN. 

Figure  26-2        Using  VLAN  Maps  to  Control  Traffic 


Blade  Server  A  Blade  Server  B 

(VLAN  10)  (VLAN  10) 


X  =  VLAN  map  denying  specific  type  „ 
of  traffic  from  Host  A  <2 
->-=  Packet  ° 


Handling  Fragmented  and  Unfragmented  Traffic 

IP  packets  can  be  fragmented  as  they  cross  the  network.  When  this  happens,  only  the  fragment 
containing  the  beginning  of  the  packet  contains  the  Layer  4  information,  such  as  TCP  or  UDP  port 
numbers,  ICMP  type  and  code,  and  so  on.  All  other  fragments  are  missing  this  information. 

Some  ACEs  do  not  check  Layer  4  information  and  therefore  can  be  applied  to  all  packet  fragments. 
ACEs  that  do  test  Layer  4  information  cannot  be  applied  in  the  standard  manner  to  most  of  the  fragments 
in  a  fragmented  IP  packet.  When  the  fragment  contains  no  Layer  4  information  and  the  ACE  tests  some 
Layer  4  information,  the  matching  rules  are  modified: 

•  Permit  ACEs  that  check  the  Layer  3  information  in  the  fragment  (including  protocol  type,  such  as 
TCP,  UDP,  and  so  on)  are  considered  to  match  the  fragment  regardless  of  what  the  missing  Layer  4 
information  might  have  been. 

•  Deny  ACEs  that  check  Layer  4  information  never  match  a  fragment  unless  the  fragment  contains 
Layer  4  information. 

Consider  access  list  102,  configured  with  these  commands,  applied  to  three  fragmented  packets: 

Switch (config) #  access-list  102  permit  tcp  any  host  10.1.1.1  eq  smtp 
Switch (config) #  access-list  102  deny  tcp  any  host  10.1.1.2  eq  telnet 
Switch (config) #  access-list  102  permit  tcp  any  host  10.1.1.2 
Switch (config) #  access-list  102  deny  tcp  any  any 

V   

Note  In  the  first  and  second  ACEs  in  the  examples,  the  eq  keyword  after  the  destination  address  means  to  test 
for  the  TCP-destination-port  well-known  numbers  equaling  Simple  Mail  Transfer  Protocol  (SMTP)  and 
Telnet,  respectively. 


•  Packet  A  is  a  TCP  packet  from  host  10.2.2.2.,  port  65000,  going  to  host  10.1.1.1  on  the  SMTP  port. 
If  this  packet  is  fragmented,  the  first  fragment  matches  the  first  ACE  (a  permit)  as  if  it  were  a 
complete  packet  because  all  Layer  4  information  is  present.  The  remaining  fragments  also  match  the 
first  ACE,  even  though  they  do  not  contain  the  SMTP  port  information,  because  the  first  ACE  only 
checks  Layer  3  information  when  applied  to  fragments.  The  information  in  this  example  is  that  the 
packet  is  TCP  and  that  the  destination  is  10.1.1.1. 
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•  Packet  B  is  from  host  10.2.2.2,  port  65001,  going  to  host  10.1.1.2  on  the  Telnet  port.  If  this  packet 
is  fragmented,  the  first  fragment  matches  the  second  ACE  (a  deny)  because  all  Layer  3  and  Layer  4 
information  is  present.  The  remaining  fragments  in  the  packet  do  not  match  the  second  ACE  because 
they  are  missing  Layer  4  information.  Instead,  they  match  the  third  ACE  (a  permit). 

Because  the  first  fragment  was  denied,  host  10.1.1.2  cannot  reassemble  a  complete  packet,  so  packet 
B  is  effectively  denied.  However,  the  later  fragments  that  are  permitted  will  consume  bandwidth  on 
the  network  and  resources  of  host  10.1.1.2  as  it  tries  to  reassemble  the  packet. 

•  Fragmented  packet  C  is  from  host  10.2.2.2,  port  65001,  going  to  host  10.1.1.3,  port  ftp.  If  this  packet 
is  fragmented,  the  first  fragment  matches  the  fourth  ACE  (a  deny).  All  other  fragments  also  match 
the  fourth  ACE  because  that  ACE  does  not  check  any  Layer  4  information  and  because  Layer  3 
information  in  all  fragments  shows  that  they  are  being  sent  to  host  10.1.1.3,  and  the  earlier  permit 
ACEs  were  checking  different  hosts. 

Configuring  IPv4  ACLs 

Configuring  IP  v4ACLs  on  the  switch  is  the  same  as  configuring  IPv4  ACLs  on  other  Cisco  switches 
and  routers.  The  process  is  briefly  described  here.  For  more  detailed  information  on  configuring  ACLs, 
see  the  "Configuring  IP  Services"  section  in  the  "IP  Addressing  and  Services"  chapter  of  the  Cisco  IOS 
IP  Configuration  Guide,  Release  12.2.  For  detailed  information  about  the  commands,  see  the  Cisco  IOS 
IP  Command  Reference,  Volume  I  of  3:  Addressing  and  Services,  Release  12.2. 

The  switch  does  not  support  these  Cisco  IOS  router  ACL-related  features: 

•  Non-IP  protocol  ACLs  (see  Table  26-1  on  page  26-6)  or  bridge-group  ACLs 

•  IP  accounting 

•  Inbound  and  outbound  rate  limiting  (except  with  QoS  ACLs) 

•  Reflexive  ACLs  or  dynamic  ACLs  (except  for  some  specialized  dynamic  ACLs  used  by  the  switch 
clustering  feature) 

•  ACL  logging 

These  are  the  steps  to  use  IP  ACLs  on  the  switch: 

Step  1      Create  an  ACL  by  specifying  an  access  list  number  or  name  and  the  access  conditions. 

Step  2      Apply  the  ACL  to  interfaces  or  terminal  lines.  You  can  also  apply  standard  and  extended  IP  ACLs  to 
VLAN  maps. 


These  sections  contain  this  configuration  information: 

•  Creating  Standard  and  Extended  IPv4  ACLs,  page  26-6 

•  Applying  an  IPv4  ACL  to  a  Terminal  Line,  page  26-16 

•  Applying  an  IPv4  ACL  to  an  Interface,  page  26-17 

•  Hardware  and  Software  Treatment  of  IP  ACLs,  page  26-18 

•  IPv4  ACL  Configuration  Examples,  page  26-18 
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Creating  Standard  and  Extended  IPv4  ACLs 

This  section  describes  IP  ACLs.  An  ACL  is  a  sequential  collection  of  permit  and  deny  conditions.  One 
by  one,  the  switch  tests  packets  against  the  conditions  in  an  access  list.  The  first  match  determines 
whether  the  switch  accepts  or  rejects  the  packet.  Because  the  switch  stops  testing  after  the  first  match, 
the  order  of  the  conditions  is  critical.  If  no  conditions  match,  the  switch  denies  the  packet. 

The  software  supports  these  types  of  ACLs  or  access  lists  for  IPv4: 

•  Standard  IP  access  lists  use  source  addresses  for  matching  operations. 

•  Extended  IP  access  lists  use  source  and  destination  addresses  for  matching  operations  and  optional 
protocol-type  information  for  finer  granularity  of  control. 

These  sections  describe  access  lists  and  how  to  create  them: 

•  Access  List  Numbers,  page  26-6 

•  Creating  a  Numbered  Standard  ACL,  page  26-7 

•  Creating  a  Numbered  Extended  ACL,  page  26-8 

•  Resequencing  ACEs  in  an  ACL,  page  26-12 

•  Creating  Named  Standard  and  Extended  ACLs,  page  26-12 

•  Using  Time  Ranges  with  ACLs,  page  26-14 

•  Including  Comments  in  ACLs,  page  26-16 

Access  List  Numbers 

The  number  you  use  to  denote  your  ACL  shows  the  type  of  access  list  that  you  are  creating.  Table  26-1 
lists  the  access-list  number  and  corresponding  access  list  type  and  shows  whether  or  not  they  are 
supported  in  the  switch.  The  switch  supports  IPv4  standard  and  extended  access  lists,  numbers  1  to  199 
and  1300  to  2699. 

Table  26- 1        Access  List  Numbers 


Access  List  Number 

Type 

Supported 

1-99 

IP  standard  access  list 

Yes 

100-199 

IP  extended  access  list 

Yes 

200-299 

Protocol  type-code  access  list 

No 

300-399 

DECnet  access  list 

No 

400-499 

XNS  standard  access  list 

No 

500-599 

XNS  extended  access  list 

No 

600-699 

AppleTalk  access  list 

No 

700-799 

48-bit  MAC  address  access  list 

No 

800-899 

IPX  standard  access  list 

No 

900-999 

IPX  extended  access  list 

No 

1000-1099 

IPX  SAP  access  list 

No 

1100-1199 

Extended  48-bit  MAC  address  access  list 

No 

1200-1299 

IPX  summary  address  access  list 

No 
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Table  26- 1        Access  List  Numbers  (continued) 


Access  List  Number 

Type 

Supported 

1300-1999 

IP  standard  access  list  (expanded  range) 

Yes 

2000-2699 

IP  extended  access  list  (expanded  range) 

Yes 

N   

Note      In  addition  to  numbered  standard  and  extended  ACLs,  you  can  also  create  standard  and  extended  named 
IP  ACLs  by  using  the  supported  numbers.  That  is,  the  name  of  a  standard  IP  ACL  can  be  1  to  99;  the 
name  of  an  extended  IP  ACL  can  be  100  to  199.  The  advantage  of  using  named  ACLs  instead  of 
numbered  lists  is  that  you  can  delete  individual  entries  from  a  named  list. 


Creating  a  Numbered  Standard  ACL 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  a  numbered  standard  ACL: 


Command  Purpose 

Step  1     configure  terminal  Enter  global  configuration  mode. 

Step  2     access-list  access-list-number  {deny  I  permit}  Define  a  standard  IPv4  access  list  by  using  a  source  address  and 

source  [source-wildcard]  wildcard. 

The  access-list-number  is  a  decimal  number  from  1  to  99  or  1300 
to  1999. 

Enter  deny  or  permit  to  specify  whether  to  deny  or  permit  access 
if  conditions  are  matched. 

The  source  is  the  source  address  of  the  network  or  host  from  which 
the  packet  is  being  sent  specified  as: 

•  The  32-bit  quantity  in  dotted-decimal  format. 

•  The  keyword  any  as  an  abbreviation  for  source  and 
source-wildcard  of  0.0.0.0  255.255.255.255.  You  do  not  need 
to  enter  a  source-wildcard. 

•  The  keyword  host  as  an  abbreviation  for  source  and 
source-wildcard  of  source  0.0.0.0. 

(Optional)  The  source-wildcard  applies  wildcard  bits  to  the 
source. 

Step  3     end  Return  to  privileged  EXEC  mode. 

Step  4     show  access-lists  [number  I  name]  Show  the  access  list  configuration. 

Step  5     copy  running-config  startup-config  (Optional)  Save  your  entries  in  the  configuration  file. 

Use  the  no  access-list  access-list-number  global  configuration  command  to  delete  the  entire  ACL.  You 
cannot  delete  individual  ACEs  from  numbered  access  lists. 
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X   

Note      When  creating  an  ACL,  remember  that,  by  default,  the  end  of  the  ACL  contains  an  implicit  deny 

statement  for  all  packets  that  it  did  not  find  a  match  for  before  reaching  the  end.  With  standard  access 
lists,  if  you  omit  the  mask  from  an  associated  IP  host  address  ACL  specification,  0.0.0.0  is  assumed  to 
be  the  mask. 


This  example  shows  how  to  create  a  standard  ACL  to  deny  access  to  IP  host  171.69.198.102,  permit 
access  to  any  others,  and  display  the  results. 

Switch   (config)#  access-list  2  deny  host  171.69.198.102 
Switch   (config)#  access-list  2  permit  any 

Switch (config) #  end 
Switch*  show  access-lists 

Standard  IP  access  list  2 

10  deny  171.69.198.102 
20  permit  any 

The  switch  always  rewrites  the  order  of  standard  access  lists  so  that  entries  with  host  matches  and  entries 
with  matches  having  a  don't  care  mask  of  0.0.0.0  are  moved  to  the  top  of  the  list,  above  any  entries  with 
non-zero  don't  care  masks.  Therefore,  in  show  command  output  and  in  the  configuration  file,  the  ACEs 
do  not  necessarily  appear  in  the  order  in  which  they  were  entered. 

After  creating  a  numbered  standard  IPv4  ACL,  you  can  apply  it  to  terminal  lines  (see  the  "Applying  an 
IPv4  ACL  to  a  Terminal  Line"  section  on  page  26-16),  to  interfaces  (see  the  "Applying  an  IPv4  ACL  to 
an  Interface"  section  on  page  26-17),  or  to  VLANs  (see  the  "Configuring  VLAN  Maps"  section  on 
page  26-22). 

Creating  a  Numbered  Extended  ACL 

Although  standard  ACLs  use  only  source  addresses  for  matching,  you  can  use  extended  ACL  source  and 
destination  addresses  for  matching  operations  and  optional  protocol  type  information  for  finer 
granularity  of  control.  When  you  are  creating  ACEs  in  numbered  extended  access  lists,  remember  that 
after  you  create  the  ACL,  any  additions  are  placed  at  the  end  of  the  list.  You  cannot  reorder  the  list  or 
selectively  add  or  remove  ACEs  from  a  numbered  list. 

Some  protocols  also  have  specific  parameters  and  keywords  that  apply  to  that  protocol. 

These  IP  protocols  are  supported  (protocol  keywords  are  in  parentheses  in  bold): 

Authentication  Header  Protocol  (ahp),  Enhanced  Interior  Gateway  Routing  Protocol  (eigrp), 
Encapsulation  Security  Payload  (esp),  generic  routing  encapsulation  (gre),  Internet  Control  Message 
Protocol  (icmp),  Internet  Group  Management  Protocol  (igmp),  any  Interior  Protocol  (ip),  IP  in  IP 
tunneling  (ipinip),  KA9Q  NOS-compatible  IP  over  IP  tunneling  (nos),  Open  Shortest  Path  First  routing 
(ospf),  Payload  Compression  Protocol  (pep),  Protocol  Independent  Multicast  (pim),  Transmission 
Control  Protocol  (tcp),  or  User  Datagram  Protocol  (udp). 

X   

Note      ICMP  echo-reply  cannot  be  filtered.  All  other  ICMP  codes  or  types  can  be  filtered. 


For  more  details  on  the  specific  keywords  for  each  protocol,  see  these  command  references: 

•  Cisco  IOS  IP  Command  Reference,  Volume  1  of  3:  Addressing  and  Services,  Release  12.2 

•  Cisco  IOS  IP  Command  Reference,  Volume  2  of  3:  Routing  Protocols,  Release  12.2 

•  Cisco  IOS  IP  Command  Reference,  Volume  3  of  3:  Multicast,  Release  12.2 
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N 

Note 


The  switch  does  not  support  dynamic  or  reflexive  access  lists.  It  also  does  not  support  filtering  based  on 
the  type  of  service  (ToS)  minimize-monetary-cost  bit. 

Supported  parameters  can  be  grouped  into  these  categories:  TCP,  UDP,  ICMP,  IGMP,  or  other  IP. 
Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  an  extended  ACL: 


Step  1 
Step  2a 


Command 

configure  terminal 


Purpose 

Enter  global  configuration  mode. 


access-list  access-list-number 
{deny  I  permit}  protocol 
source  source-wildcard 
destination  destination-wildcard 
[precedence precedence]  [tos  tos] 
[fragments]  [time-range 
time-range-name]  [dscp  dscp] 

Note     If  you  enter  a  dscp  value, 
you  cannot  enter  tos  or 
precedence.  You  can 
enter  both  a  tos  and  a 
precedence  value  with  no 
dscp. 


Define  an  extended  IPv4  access  list  and  the  access  conditions. 

The  access-list-number  is  a  decimal  number  from  100  to  199  or  2000  to  2699. 

Enter  deny  or  permit  to  specify  whether  to  deny  or  permit  the  packet  if 
conditions  are  matched. 

For  protocol,  enter  the  name  or  number  of  an  IP  protocol:  ahp,  eigrp,  esp,  gre, 
icmp,  igmp,  igrp,  ip,  ipinip,  nos,  ospf,  pep,  pim,  tcp,  or  udp,  or  an  integer  in 
the  range  0  to  255  representing  an  IP  protocol  number.  To  match  any  Internet 
protocol  (including  ICMP,  TCP,  and  UDP),  use  the  keyword  ip. 

Note     This  step  includes  options  for  most  IP  protocols.  For  additional  specific 
parameters  for  TCP,  UDP,  ICMP,  and  IGMP,  see  steps  2b  through  2e. 

The  source  is  the  number  of  the  network  or  host  from  which  the  packet  is  sent. 

The  source -wildcard  applies  wildcard  bits  to  the  source. 

The  destination  is  the  network  or  host  number  to  which  the  packet  is  sent. 

The  destination-wildcard  applies  wildcard  bits  to  the  destination. 

Source,  source-wildcard,  destination,  and  destination-wildcard  can  be  specified 
as: 

•  The  32-bit  quantity  in  dotted-decimal  format. 

•  The  keyword  any  for  0.0.0.0  255.255.255.255  (any  host). 

•  The  keyword  host  for  a  single  host  0.0.0.0. 

The  other  keywords  are  optional  and  have  these  meanings: 

•  precedence — Enter  to  match  packets  with  a  precedence  level  specified  as  a 
number  from  0  to  7  or  by  name:  routine  (0),  priority  (1),  immediate  (2), 
flash  (3),  flash-override  (4),  critical  (5),  internet  (6),  network  (7). 

•  fragments — Enter  to  check  non-initial  fragments. 

•  tos — Enter  to  match  by  type  of  service  level,  specified  by  a  number  from  0 
to  15  or  a  name:  normal  (0),  max-reliability  (2),  max-throughput  (4), 
min-delay  (8). 

•  time-range — For  an  explanation  of  this  keyword,  see  the  "Using  Time 
Ranges  with  ACLs"  section  on  page  26-14. 

•  dscp — Enter  to  match  packets  with  the  DSCP  value  specified  by  a  number 
from  0  to  63,  or  use  the  question  mark  (?)  to  see  a  list  of  available  values. 
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Command 

Purpose 

access-list  access-list-number 
{deny  1  permit}  protocol  any  any 
[precedence precedence]  [tos  tos] 
[fragments]  [time-range 

time-range-name]  [dscp  dscp] 

In  access-list  configuration  mode,  define  an  extended  IP  access  list  using  an 
abbreviation  for  a  source  and  source  wildcard  of  0.0.0.0  255.255.255.255  and 
an  abbreviation  for  a  destination  and  destination  wildcard  of  0.0.0.0 
255.255.255.255. 

You  can  use  the  any  keyword  in  place  of  source  and  destination  address  and 
wildcard. 

access-list  access-list-number 
[deny  1  permit}  protocol 
host  source  host  destination 
[precedence precedence]  [tos  tos] 
[fragments]  [time-range 
time-range-name]  [dscp  dscp] 

Define  an  extended  IP  access  list  by  using  an  abbreviation  for  a  source  and  a 
source  wildcard  of  source  0.0.0.0  and  an  abbreviation  for  a  destination  and 
destination  wildcard  of  destination  0.0.0.0. 

You  can  use  the  host  keyword  in  place  of  the  source  and  destination  wildcard 
or  mask. 

access-list  access-list-number 
{ deny  1  permit }  tcp  source 
source-wildcard  {operator  port] 
destination  destination-wildcard 
[operator  port]  [established] 
[precedence precedence]  [tos  tos] 
[fragments]  [time-range 
time-range-name]  [dscp  dscp] 
[flag] 

(Optional)  Define  an  extended  TCP  access  list  and  the  access  conditions. 
Enter  tcp  for  Transmission  Control  Protocol. 

The  parameters  are  the  same  as  those  described  in  Step  2a,  with  these 
exceptions: 

(Optional)  Enter  an  operator  and  port  to  compare  source  (if  positioned  after 
source  source-wildcard)  or  destination  (if  positioned  after  destination 
destination-wildcard)  port.  Possible  operators  include  eq  (equal),  gt  (greater 
than),  It  (less  than),  neq  (not  equal),  and  range  (inclusive  range).  Operators 
require  a  port  number  (range  requires  two  port  numbers  separated  by  a  space). 

Enter  the  port  number  as  a  decimal  number  (from  0  to  65535)  or  the  name  of  a 
TCP  port.  To  see  TCP  port  names,  use  the  ?  or  see  the  "Configuring  IP  Services" 
section  in  the  "IP  Addressing  and  Services"  chapter  of  the  Cisco  IOS  IP 
Configuration  Guide,  Release  12.2.  Use  only  TCP  port  numbers  or  names  when 
filtering  TCP. 

The  other  optional  keywords  have  these  meanings: 

•  established — Enter  to  match  an  established  connection.  This  has  the  same 
function  as  matching  on  the  ack  or  rst  flag. 

•  flag — Enter  one  of  these  flags  to  match  by  the  specified  TCP  header  bits: 
ack  (acknowledge),  fin  (finish),  psh  (push),  rst  (reset),  syn  (synchronize), 
or  urg  (urgent). 

access-list  access-list-number 
fdf»nv  1  nermitl  iidn 

source  source-wildcard  [operator 
port]  destination 
destination-wildcard  [operator 
port]  [precedence  precedence] 
[tos  tos]  [fragments]  [time-range 
time-range-name]  [dscp  dscp] 

(Optional)  Define  an  extended  UDP  access  list  and  the  access  conditions. 
Enter  udp  for  the  User  Datagram  Protocol. 

The  UDP  parameters  are  the  same  as  those  described  for  TCP  except  that  the 
[operator  [port]]  port  number  or  name  must  be  a  UDP  port  number  or  name,  and 
the  flag  and  established  parameters  are  not  valid  for  UDP. 
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Step  2d 


Step  2e 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

access-list  access-list-number 
{deny  1  permit}  icmp  source 
source-wildcard  destination 
destination-wildcard  [icmp-type  1 
[[icmp-type  icmp-code]  1 
[icmp-message]]  [precedence 
precedence]  [tos  tos]  [fragments] 
[time-range  time-range-name] 
[dscp  dscp] 

(Optional)  Define  an  extended  ICMP  access  list  and  the  access  conditions. 
Enter  icmp  for  Internet  Control  Message  Protocol. 

The  ICMP  parameters  are  the  same  as  those  described  for  most  IP  protocols  in 
Step  2a,  with  the  addition  of  the  ICMP  message  type  and  code  parameters. 
These  optional  keywords  have  these  meanings: 

•  icmp-type — Enter  to  filter  by  ICMP  message  type,  a  number  from  0  to  255. 

•  icmp-code — Enter  to  filter  ICMP  packets  that  are  filtered  by  the  ICMP 
message  code  type,  a  number  from  0  to  255. 

•  icmp-message — Enter  to  filter  ICMP  packets  by  the  ICMP  message  type 
name  or  the  ICMP  message  type  and  code  name.  To  see  a  list  of  ICMP 
message  type  names  and  code  names,  use  the  ?,  or  see  the  "Configuring  IP 
Services"  section  of  the  Cisco  IOS  IP  Configuration  Guide,  Release  12.2. 

access-list  access-list-number 
{ deny  1  permit }  igmp  source 
source-wildcard  destination 

f]  P  *\t\vi  flt\ (1YI  -  Will  fl  C  fl  Vfl  \ I QWlYl-t\!Ylp\ 
it c  j  1 1 1 1 Li  1 1  l/ / i    y v  1 1  a    c t /  1 1          /lip   i  v//c  j 

[precedence precedence]  [tos  ros] 
[fragments]  [time-range 

time-range-name]  [dscp  cfsc/?] 

(Optional)  Define  an  extended  IGMP  access  list  and  the  access  conditions. 
Enter  igmp  for  Internet  Group  Management  Protocol. 

The  IGMP  parameters  are  the  same  as  those  described  for  most  IP  protocols  in 
Step  2a,  with  this  optional  parameter. 

igmp-type — To  match  IGMP  message  type,  enter  a  number  from  0  to  15,  or  enter 
the  message  name  (dvmrp,  host-query,  host-report,  pim,  or  trace). 

end 

Return  to  privileged  EXEC  mode. 

show  access-lists  [number  1  name] 

Verify  the  access  list  configuration. 

copy  running-config 
startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Use  the  no  access-list  access-list-number  global  configuration  command  to  delete  the  entire  access  list. 
You  cannot  delete  individual  ACEs  from  numbered  access  lists. 

This  example  shows  how  to  create  and  display  an  extended  access  list  to  deny  Telnet  access  from  any 
host  in  network  171.69.198.0  to  any  host  in  network  172.20.52.0  and  to  permit  any  others.  (The  eq 
keyword  after  the  destination  address  means  to  test  for  the  TCP  destination  port  number  equaling 
Telnet.) 

Switch (config) #  access-list  102  deny  tcp  171.69.198.0  0.0.0.255  172.20.52.0  0.0.0.255  eq 
telnet 

Switch (config) #  access-list  102  permit  tcp  any  any 

Switch (config) #  end 
Switch#  show  access-lists 

Extended  IP  access  list  102 

10  deny  tcp  171.69.198.0   0.0.0.255   172.20.52.0   0.0.0.255  eq  telnet 
2  0  permit  tcp  any  any 

After  an  ACL  is  created,  any  additions  (possibly  entered  from  the  terminal)  are  placed  at  the  end  of  the 
list.  You  cannot  selectively  add  or  remove  access  list  entries  from  a  numbered  access  list. 


Note      When  you  are  creating  an  ACL,  remember  that,  by  default,  the  end  of  the  access  list  contains  an  implicit 
deny  statement  for  all  packets  if  it  did  not  find  a  match  before  reaching  the  end. 
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After  creating  a  numbered  extended  ACL,  you  can  apply  it  to  terminal  lines  (see  the  'Applying  an  IPv4 
ACL  to  a  Terminal  Line"  section  on  page  26-16),  to  interfaces  (see  the  "Applying  an  IPv4  ACL  to  an 
Interface"  section  on  page  26-17),  or  to  VLANs  (see  the  "Configuring  VLAN  Maps"  section  on 
page  26-22). 

Resequencing  ACEs  in  an  ACL 

In  Cisco  IOS  Release  12.2(18)SE  and  later,  sequence  numbers  for  the  entries  in  an  access  list  are 
automatically  generated  when  you  create  a  new  ACL.  You  can  use  the  ip  access-list  resequence  global 
configuration  command  to  edit  the  sequence  numbers  in  an  ACL  and  change  the  order  in  which  ACEs 
are  applied.  For  example,  if  you  add  a  new  ACE  to  an  ACL,  it  is  placed  at  the  bottom  of  the  list.  By 
changing  the  sequence  number,  you  can  move  the  ACE  to  a  different  position  in  the  ACL. 

For  more  information  about  the  ip  access-list  resequence  command,  see  this  URL: 

http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a00804462 
77.html#wpl201217 

Creating  Named  Standard  and  Extended  ACLs 

You  can  identify  IPv4  ACLs  with  an  alphanumeric  string  (a  name)  rather  than  a  number.  You  can  use 
named  ACLs  to  configure  more  IPv4  access  lists  in  a  router  than  if  you  were  to  use  numbered  access 
lists.  If  you  identify  your  access  list  with  a  name  rather  than  a  number,  the  mode  and  command  syntax 
are  slightly  different.  However,  not  all  commands  that  use  IP  access  lists  accept  a  named  access  list. 

X   

Note      The  name  you  give  to  a  standard  or  extended  ACL  can  also  be  a  number  in  the  supported  range  of  access 
list  numbers.  That  is,  the  name  of  a  standard  IP  ACL  can  be  1  to  99;  the  name  of  an  extended  IP  ACL 
can  be  100  to  199.  The  advantage  of  using  named  ACLs  instead  of  numbered  lists  is  that  you  can  delete 
individual  entries  from  a  named  list. 

Consider  these  guidelines  and  limitations  before  configuring  named  ACLs: 

•  Not  all  commands  that  accept  a  numbered  ACL  accept  a  named  ACL.  ACLs  for  packet  filters  and 
route  filters  on  interfaces  can  use  a  name.  VLAN  maps  also  accept  a  name. 

•  A  standard  ACL  and  an  extended  ACL  cannot  have  the  same  name. 

•  Numbered  ACLs  are  also  available,  as  described  in  the  "Creating  Standard  and  Extended  IPv4 
ACLs"  section  on  page  26-6. 

•  You  can  use  standard  and  extended  ACLs  (named  or  numbered)  in  VLAN  maps. 
Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  a  standard  ACL  using  names: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

ip  access-list  standard  name 

Define  a  standard  IPv4  access  list  using  a  name,  and  enter 
access-list  configuration  mode. 

The  name  can  be  a  number  from  1  to  99. 
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Command 

Purpose 

Step  3 

deny  {source  [source-wildcard]  1  host  source  1 
any} 

In  access-list  configuration  mode,  specify  one  or  more  conditions 
denied  or  permitted  to  decide  if  the  packet  is  forwarded  or  dropped. 

or 

•    host  source — A  source  and  source  wildcard  of  source  0.0.0.0. 

permit  {source  [source-wildcard]  1  host  source 
1  any} 

•    any — A  source  and  source  wildcard  of  0.0.0.0 
255.255.255.255. 

Step  4 

end 

Return  to  privileged  EXEC  mode. 

Step  5 

show  access-lists  [number  1  name] 

Show  the  access  list  configuration. 

Step  6 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  a  named  standard  ACL,  use  the  no  ip  access-list  standard  name  global  configuration 
command. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  an  extended  ACL  using  names: 


Step  1 
Step  2 


Step  3 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

ip  access-list  extended  name 

Define  an  extended  IPv4  access  list  using  a  name,  and  enter 
access-list  configuration  mode. 

The  name  can  be  a  number  from  100  to  199. 

{deny  I  permit}  protocol  {source 
[source-wildcard]  I  host  source  I  any} 
[destination  [destination-wildcard]  I  host 
destination  I  any}  [precedence precedence] 
[tos  tos]  [established]  [time-range 
time-range-name] 

In  access-list  configuration  mode,  specify  the  conditions  allowed 
or  denied. 

See  the  "Creating  a  Numbered  Extended  ACL"  section  on 
page  26-8  for  definitions  of  protocols  and  other  keywords. 

•  host  source — A  source  and  source  wildcard  of  source  0.0.0.0. 

•  host  destination — A  destination  and  destination  wildcard  of 
destination  0.0.0.0. 

•  any — A  source  and  source  wildcard  or  destination  and 
destination  wildcard  of  0.0.0.0  255.255.255.255. 

end 

Return  to  privileged  EXEC  mode. 

show  access-lists  [number  I  name] 

Show  the  access  list  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  a  named  extended  ACL,  use  the  no  ip  access-list  extended  name  global  configuration 
command. 

When  you  are  creating  standard  extended  ACLs,  remember  that,  by  default,  the  end  of  the  ACL  contains 
an  implicit  deny  statement  for  everything  if  it  did  not  find  a  match  before  reaching  the  end.  For  standard 
ACLs,  if  you  omit  the  mask  from  an  associated  IP  host  address  access  list  specification,  0.0.0.0  is 
assumed  to  be  the  mask. 
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After  you  create  an  ACL,  any  additions  are  placed  at  the  end  of  the  list.  You  cannot  selectively  add  ACL 
entries  to  a  specific  ACL.  However,  you  can  use  no  permit  and  no  deny  access-list  configuration  mode 
commands  to  remove  entries  from  a  named  ACL.  This  example  shows  how  you  can  delete  individual 
ACEs  from  the  named  access  list  border-list: 

Switch (config) #  ip  access-list  extended  border-list 
Switch  ( conf  ig-ext-nacl )  #  no  permit  ip  host  10.1.1.3  any- 
Being  able  to  selectively  remove  lines  from  a  named  ACL  is  one  reason  you  might  use  named  ACLs 
instead  of  numbered  ACLs. 

After  creating  a  named  ACL,  you  can  apply  it  to  interfaces  (see  the  "Applying  an  IPv4  ACL  to  an 
Interface"  section  on  page  26-17)  or  to  VLANs  (see  the  "Configuring  VLAN  Maps"  section  on 
page  26-22). 

Using  Time  Ranges  with  ACLs 

You  can  selectively  apply  extended  ACLs  based  on  the  time  of  day  and  the  week  by  using  the 
time-range  global  configuration  command.  First,  define  a  time-range  name  and  set  the  times  and  the 
dates  or  the  days  of  the  week  in  the  time  range.  Then  enter  the  time-range  name  when  applying  an  ACL 
to  set  restrictions  to  the  access  list.  You  can  use  the  time  range  to  define  when  the  permit  or  deny 
statements  in  the  ACL  are  in  effect,  for  example,  during  a  specified  time  period  or  on  specified  days  of 
the  week.  The  time-range  keyword  and  argument  are  referenced  in  the  named  and  numbered  extended 
ACL  task  tables  in  the  previous  sections,  the  "Creating  Standard  and  Extended  IPv4  ACLs"  section  on 
page  26-6,  and  the  "Creating  Named  Standard  and  Extended  ACLs"  section  on  page  26-12. 

Time-based  access  lists  trigger  CPU  activity  because  the  new  configuration  of  the  access  list  must  be 
merged  with  other  features  and  the  combined  configuration  loaded  into  the  TCAM.  For  this  reason,  you 
should  be  careful  not  to  have  several  access  lists  configured  to  take  affect  in  close  succession  (within  a 
small  number  of  minutes  of  each  other.) 

%   

Note      The  time  range  relies  on  the  switch  system  clock;  therefore,  you  need  a  reliable  clock  source.  We 
recommend  that  you  use  Network  Time  Protocol  (NTP)  to  synchronize  the  switch  clock.  For  more 
information,  see  the  "Managing  the  System  Time  and  Date"  section  on  page  4-1. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  time-range  parameter  for  an 
ACL: 


Step  3 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

time-range  time -range -name 

Assign  a  meaningful  name  (for  example,  workhours)  to  the  time  range  to 
be  created,  and  enter  time-range  configuration  mode.  The  name  cannot 
contain  a  space  or  quotation  mark  and  must  begin  with  a  letter. 

absolute  [start  time  date] 
[end  time  date] 

or 

periodic  day-of-the-week  hh:mm  to 
[day-of-the-week]  hh:mm 

or 

periodic  [weekdays  1  weekend  1  daily} 

hh:mm  to  hh:mm 

Specify  when  the  function  it  will  be  applied  to  is  operational. 

•  You  can  use  only  one  absolute  statement  in  the  time  range.  If  you 
configure  more  than  one  absolute  statement,  only  the  one  configured 
last  is  executed. 

•  You  can  enter  multiple  periodic  statements.  For  example,  you  could 
configure  different  hours  for  weekdays  and  weekends. 

See  the  example  configurations. 
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Command 

Purpose 

Step  4  end 

Return  to  privileged  EXEC  mode. 

Step  5     show  time-range 

Verify  the  time-range  configuration. 

Step  6     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Repeat  the  steps  if  you  have  multiple  items  that  you  want  in  effect  at  different  times. 

To  remove  a  configured  time-range  limitation,  use  the  no  time-range  time-range-name  global 
configuration  command. 

This  example  shows  how  to  configure  time  ranges  for  workhours  and  to  configure  January  1,  2006,  as  a 
company  holiday  and  to  verify  your  configuration. 

Switch ( config) #  time-range  workhours 

Switch ( conf ig-time-range ) #  periodic  weekdays  8:00  to  12:00 
Switch ( conf ig-time-range ) #  periodic  weekdays  13:00  to  17:00 
Switch (conf ig-time-range) #  exit 
Switch (conf ig) #  time-range  new_year_day_2 0 0 6 

Switch (conf ig-time-range) #  absolute  start  00:00  1  Jan  2006  end  23:59  1  Jan  2006 

Switch (conf ig-time-range) #  end 
Switch*  show  time-range 

time-range  entry:  new_year_day_2  003  (inactive) 

absolute  start  00:00   01  January  2006  end  23:59   01  January  2006 
time-range  entry:  workhours  (inactive) 

periodic  weekdays   8:00  to  12:00 

periodic  weekdays  13:00  to  17:00 

To  apply  a  time  range,  enter  the  time-range  name  in  an  extended  ACL  that  can  implement  time  ranges. 
This  example  shows  how  to  create  and  verify  extended  access  list  188  that  denies  TCP  traffic  from  any 
source  to  any  destination  during  the  defined  holiday  times  and  permits  all  TCP  traffic  during  work  hours. 

Switch (conf ig) #  access-list  188  deny  tcp  any  any  time-range  new  year  day  2006 
Switch (conf ig) #  access-list  188  permit  tcp  any  any  time-range  workhours 

Switch (conf ig) #  end 
Switch*  show  access-lists 

Extended  IP  access  list  188 

10  deny  tcp  any  any  time-range  new_year_day_2 0 0 6  (inactive) 
2  0  permit  tcp  any  any  time-range  workhours  (inactive) 

This  example  uses  named  ACLs  to  permit  and  deny  the  same  traffic. 

Switch (conf ig) #  ip  access-list  extended  deny_access 

Switch ( conf ig-ext-nacl ) #  deny  tcp  any  any  time-range  new_year_day_2 0 0 6 

Switch ( conf ig-ext-nacl ) #  exit 

Switch (conf ig) #  ip  access-list  extended  may_access 

Switch (conf ig-ext-nacl ) #  permit  tcp  any  any  time-range  workhours 

Switch (conf ig-ext-nacl ) #  end 
Switch*  show  ip  access-lists 

Extended  IP  access  list  lpip_default 

10  permit  ip  any  any 
Extended  IP  access  list  deny_access 

10  deny  tcp  any  any  time-range  new_year_day_2  006  (inactive) 
Extended  IP  access  list  may_access 

10  permit  tcp  any  any  time-range  workhours  (inactive) 
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Including  Comments  in  ACLs 


You  can  use  the  remark  keyword  to  include  comments  (remarks)  about  entries  in  any  IP  standard  or 
extended  ACL.  The  remarks  make  the  ACL  easier  for  you  to  understand  and  scan.  Each  remark  line  is 
limited  to  100  characters. 

The  remark  can  go  before  or  after  a  permit  or  deny  statement.  You  should  be  consistent  about  where  you 
put  the  remark  so  that  it  is  clear  which  remark  describes  which  permit  or  deny  statement.  For  example, 
it  would  be  confusing  to  have  some  remarks  before  the  associated  permit  or  deny  statements  and  some 
remarks  after  the  associated  statements. 

To  include  a  comment  for  IP  numbered  standard  or  extended  ACLs,  use  the  access-list  access-list 
number  remark  remark  global  configuration  command.  To  remove  the  remark,  use  the  no  form  of  this 
command. 

In  this  example,  the  server  that  belongs  to  Jones  is  allowed  access,  and  the  workstation  that  belongs  to 
Smith  is  not  allowed  access: 

Switch (config) #  access-list  1  remark  Permit  only  Jones  server  through 
Switch(conf ig) #  access-list  1  permit  171.69.2.88 

Switch ( config) #  access-list  1  remark  Do  not  allow  Smith  server  through 
Switch (config) #  access-list  1  deny  171.69.3.13 

For  an  entry  in  a  named  IP  ACL,  use  the  remark  access-list  configuration  command.  To  remove  the 
remark,  use  the  no  form  of  this  command. 

In  this  example,  the  Jones  subnet  is  not  allowed  to  use  outbound  Telnet: 

Switch ( config) #  ip  access-list  extended  telnetting 

Switch ( conf ig-ext-nacl ) #  remark  Do  not  allow  Jones  subnet  to  telnet  out 
Switch ( conf ig-ext-nacl ) #  deny  tcp  host  171.69.2.88  any  eq  telnet 


Applying  an  IPv4  ACL  to  a  Terminal  Line 

You  can  use  numbered  ACLs  to  control  access  to  one  or  more  terminal  lines.  You  cannot  apply  named 
ACLs  to  lines.  You  must  set  identical  restrictions  on  all  the  virtual  terminal  lines  because  a  user  can 
attempt  to  connect  to  any  of  them. 

For  procedures  for  applying  ACLs  to  interfaces,  see  the  'Applying  an  IPv4  ACL  to  an  Interface"  section 
on  page  26-17.  For  applying  ACLs  to  VLANs,  see  the  "Configuring  VLAN  Maps"  section  on 
page  26-22. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  restrict  incoming  and  outgoing  connections 
between  a  virtual  terminal  line  and  the  addresses  in  an  ACL: 


Step  1 


Step  3 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

line  [console  I  vty]  line-number 

Identify  a  specific  line  to  configure,  and  enter  in-line  configuration  mode. 

•  console — Specify  the  console  terminal  line.  The  console  port  is  DCE. 

•  vty — Specify  a  virtual  terminal  for  remote  console  access. 

The  line-number  is  the  first  line  number  in  a  contiguous  group  that  you  want 
to  configure  when  the  line  type  is  specified.  The  range  is  from  0  to  16. 

access-class  access-list-number 
{in  I  out} 

Restrict  incoming  and  outgoing  connections  between  a  particular  virtual 
terminal  line  (into  a  device)  and  the  addresses  in  an  access  list. 
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Command 

Purpose 

Step  4 

end 

Return  to  privileged  EXEC  mode. 

Step  5 

show  running-config 

Display  the  access  list  configuration. 

Step  6 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  an  ACL  from  a  terminal  line,  use  the  no  access-class  access-list-number  {in  I  out}  line 
configuration  command. 


Applying  an  IPv4  ACL  to  an  Interface 

This  section  describes  how  to  apply  IPv4  ACLs  to  network  interfaces.  Note  these  guidelines: 

•  Apply  an  ACL  only  to  inbound  Layer  2  interfaces. 

•  When  controlling  access  to  an  interface,  you  can  use  a  named  or  numbered  ACL. 

•  If  you  apply  an  ACL  to  a  Layer  2  interface  that  is  a  member  of  a  VLAN,  the  Layer  2  (port)  ACL 
takes  precedence  over  a  VLAN  map  applied  to  the  VLAN.  Incoming  packets  received  on  the  Layer 
2  port  are  always  filtered  by  the  port  ACL. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  control  access  to  an  interface: 


Step  1 
Step  2 

Step  3 

Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Identify  a  specific  interface  for  configuration,  and  enter  interface 
configuration  mode. 

ip  access-group  {access-list-number  1 
name)  {in} 

Control  access  to  the  specified  interface. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Display  the  access  list  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  the  specified  access  group,  use  the  no  ip  access-group  {access-list-number  I  name}  {in} 
interface  configuration  command. 

This  example  shows  how  to  apply  access  list  2  to  a  port  to  filter  packets  entering  the  port: 

Switch (config) #  interface  gigabitethernetO/1 
Router (config-if) #  ip  access-group  2  in 

For  inbound  ACLs,  after  receiving  a  packet,  the  switch  checks  the  packet  against  the  ACL.  If  the  ACL 
permits  the  packet,  the  switch  continues  to  process  the  packet.  If  the  ACL  rejects  the  packet,  the  switch 
discards  the  packet. 

When  you  apply  an  undefined  ACL  to  an  interface,  the  switch  acts  as  if  the  ACL  has  not  been  applied 
to  the  interface  and  permits  all  packets.  Remember  this  behavior  if  you  use  undefined  ACLs  for  network 
security. 
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Hardware  and  Software  Treatment  of  IP  ACLs 

ACL  processing  is  primarily  accomplished  in  hardware,  but  requires  forwarding  of  some  traffic  flows 
to  the  CPU  for  software  processing.  If  the  hardware  reaches  its  capacity  to  store  ACL  configurations, 
packets  are  sent  to  the  CPU  for  forwarding.  The  forwarding  rate  for  software-forwarded  traffic  is 
substantially  less  than  for  hardware-forwarded  traffic. 

If  ACLs  cause  large  numbers  of  packets  to  be  sent  to  the  CPU,  the  switch  performance  can  be  negatively 
affected. 

When  you  enter  the  show  ip  access-lists  privileged  EXEC  command,  the  match  count  displayed  does 
not  account  for  packets  that  are  access  controlled  in  hardware.  Use  the  show  access-lists  hardware 
counters  privileged  EXEC  command  to  obtain  some  basic  hardware  ACL  statistics  for  switched  packets. 


IPv4  ACL  Configuration  Examples 

This  section  provides  examples  of  configuring  and  applying  IPv4  ACLs.  For  detailed  information  about 
compiling  ACLs,  see  the  Cisco  IOS  Security  Configuration  Guide,  Release  12.2  and  to  the  Configuring 
IP  Services"  section  in  the  "IP  Addressing  and  Services"  chapter  of  the  Cisco  IOS  IP  Configuration 
Guide,  Release  12.2. 

This  example  uses  a  standard  ACL  to  allow  a  port  access  to  a  specific  Internet  host  with  the  address 
172.20.128.64. 

Switch (config) #  access-list  6  permit  172.20.128.64  0.0.0 

Switch (config) #  end 
Switch*  show  access-lists 
Standard  IP  access  list  6 

10  permit  172.20.128.64  wildcard  bits  0.0.0.0 
Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if) #  ip  access-group  6  in 

This  example  uses  an  extended  ACL  to  deny  to  a  port  traffic  coming  from  port  80  (HTTP).  It  permits  all 
other  types  of  traffic. 

Switch (config) #  access-list  106  deny  tcp  any  any  eq  80 
Switch (config) #  access-list  106  permit  ip  any  any 

Switch (config) #  end 

Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if ) #  ip  access-group  106  in 

Numbered  ACLs 

This  ACL  accepts  addresses  on  network  36.0.0.0  subnets  and  denies  all  packets  coming  from  56.0.0.0 
subnets.  The  ACL  is  applied  to  packets  entering  a  port. 

Switch (config) #  access-list  2  permit  36.0.0.0  0.255.255.255 
Switch (config) #  access-list  2  deny  56.0.0.0  0.255.255.255 
Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if ) #  ip  access-group  2  in 

Extended  ACLs 

In  this  example,  suppose  that  you  have  a  network  connected  to  the  Internet,  and  you  want  any  host  on 
the  network  to  be  able  to  form  TCP  connections  to  any  host  on  the  Internet.  However,  you  do  not  want 
IP  hosts  to  be  able  to  form  TCP  connections  to  hosts  on  your  network,  except  to  the  mail  (SMTP)  port 
of  a  dedicated  mail  host. 
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Configuring  IPv4  ACLs  M 


SMTP  uses  TCP  port  25  on  one  end  of  the  connection  and  a  random  port  number  on  the  other  end.  The 
same  port  numbers  are  used  throughout  the  life  of  the  connection.  Mail  packets  coming  in  from  the 
Internet  have  a  destination  port  of  25.  Because  the  secure  system  of  the  network  always  accepts  mail 
connections  on  port  25,  the  incoming  services  are  controlled. 

Switch (config) #  access-list  102  permit  tcp  any  128.88.0.0  0.0.255.255  eq  23 
Switch (config) #  access-list  102  permit  tcp  any  128.88.0.0  0.0.255.255  eq  25 
Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if) #  ip  access-group  102  in 


Named  ACLs 

This  example  creates  an  extended  ACL  named  marketing_group.  The  marketing _g roup  ACL  allows  any 
TCP  Telnet  traffic  to  the  destination  address  and  wildcard  171.69.0.0  0.0.255.255  and  denies  any  other 
TCP  traffic.  It  permits  any  other  IP  traffic. 

Switch (config) #  ip  access-list  extended  market ing_group 

Switch (conf ig-ext-nacl ) #  permit  tcp  any  171.69.0.0  0.0.255.255  eq  telnet 

Switch (conf ig-ext-nacl ) #  deny  tcp  any  any 
Switch (conf ig-ext-nacl ) #  permit  ip  any  any 

Switch (conf ig-ext-nacl ) #  exit 

The  marketing _group  ACL  is  applied  to  incoming  traffic  on  a  port. 

Switch (conf ig) #  interface  gigabitethernetO/2 

Switch  (conf  ig-if)  #  ip  access-group  market ing__group  in 

Time  Range  Applied  to  an  IP  ACL 

This  example  denies  HTTP  traffic  on  IP  on  Monday  through  Friday  between  the  hours  of  8:00  a.m.  and 
6:00  p.m  (18:00).  The  example  allows  UDP  traffic  only  on  Saturday  and  Sunday  from  noon  to  8:00  p.m. 
(20:00). 

Switch (conf ig) #  time-range  no-http 

Switch (conf ig) #  periodic  weekdays  8:00  to  18:00 

I 

Switch (conf ig) #  time-range  udp-yes 

Switch (conf ig) #  periodic  weekend  12:00  to  20:00 

I 

Switch (conf ig) #  ip  access-list  extended  strict 

Switch (conf ig-ext-nacl ) #  deny  tcp  any  any  eq  www  time-range  no-http 
Switch (conf ig-ext-nacl ) #  permit  udp  any  any  time-range  udp-yes 

I 

Switch (conf ig-ext-nacl ) #  exit 

Switch (conf ig) #  interface  gigabitethernetO/1 
Switch (conf ig-if ) #  ip  access-group  strict  in 

Commented  IP  ACL  Entries 

In  this  example  of  a  numbered  ACL,  the  server  that  belongs  to  Jones  is  allowed  access,  and  the 
workstation  that  belongs  to  Smith  is  not  allowed  access: 

Switch (conf ig) #  access-list  1  remark  Permit  only  Jones  server  through 
Switch (conf ig) #  access-list  1  permit  171.69.2.88 

Switch (conf ig) #  access-list  1  remark  Do  not  allow  Smith  server  through 
Switch (conf ig) #  access-list  1  deny  171.69.3.13 
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In  this  example  of  a  numbered  ACL,  the  Winter  and  Smith  servers  are  not  allowed  to  browse  the  web: 

Switch (config) #  access-list  100  remark  Do  not  allow  Winter  to  browse  the  web 
Switch (config) #  access-list  100  deny  host  171.69.3.85  any  eq  www 
Switch (config) #  access-list  100  remark  Do  not  allow  Smith  to  browse  the  web 
Switch (config) #  access-list  100  deny  host  171.69.3.13  any  eq  www 

In  this  example  of  a  named  ACL,  the  Jones  subnet  is  not  allowed  access: 

Switch (config) #  ip  access-list  standard  prevention 

Switch (conf ig-std-nacl ) #  remark  Do  not  allow  Jones  subnet  through 

Switch(config-std-nacl) #  deny  171.69.0.0  0.0.255.255 

In  this  example  of  a  named  ACL,  the  Jones  subnet  is  not  allowed  to  use  outbound  Telnet: 

Switch (conf ig) #  ip  access-list  extended  telnetting 

Switch (conf ig-ext-nacl ) #  remark  Do  not  allow  Jones  subnet  to  telnet  out 
Switch (conf ig-ext-nacl ) #  deny  tcp  171.69.0.0  0.0.255.255  any  eq  telnet 


You  can  filter  non-IPv4  traffic  on  a  VLAN  or  on  a  Layer  2  interface  by  using  MAC  addresses  and  named 
MAC  extended  ACLs.  The  procedure  is  similar  to  that  of  configuring  other  extended  named  ACLs. 

For  more  information  about  the  supported  non-IP  protocols  in  the  mac  access-list  extended  command, 
see  the  command  reference  for  this  release. 


Note      Though  visible  in  the  command-line  help  strings,  appletalk  is  not  supported  as  a  matching  condition  for 
the  deny  and  permit  MAC  access-list  configuration  mode  commands. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  a  named  MAC  extended  ACL: 


Creating  Named  MAC  Extended  ACLs 


x 


Command 


Purpose 


Step  1     configure  terminal 


Enter  global  configuration  mode. 


Step  2     mac  access-list  extended  name 


Define  an  extended  MAC  access  list  using  a  name. 
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Command 


Purpose 


Step  3 


{ deny  I  permit }  { any  I  host  source  MAC 
address  I  source  MAC  address  mask}  {any  I 
host  destination  MAC  address  I  destination 
MAC  address  mask]  [type  mask  I  lsap  Isap  mask 
I  aarp  I  amber  I  dec-spanning  I  decnet-iv  I 
diagnostic  I  dsm  I  etype-6000  I  etype-8042  I  lat 
I  lavc-sca  I  mop-console  I  mop-dump  I  msdos  I 
mumps  I  netbios  I  vines-echo  Ivines-ip  I 
xns-idp  I  0-65535]  [cos  cos] 


In  extended  MAC  access-list  configuration  mode,  specify  to 
permit  or  deny  any  source  MAC  address,  a  source  MAC  address 
with  a  mask,  or  a  specific  host  source  MAC  address  and  any 
destination  MAC  address,  destination  MAC  address  with  a  mask, 
or  a  specific  destination  MAC  address. 

(Optional)  You  can  also  enter  these  options: 

•  type  mask — An  arbitrary  EtherType  number  of  a  packet  with 
Ethernet  II  or  SNAP  encapsulation  in  decimal,  hexadecimal, 
or  octal  with  optional  mask  of  don 't  care  bits  applied  to  the 
EtherType  before  testing  for  a  match. 

•  lsap  lsap  mask — An  LSAP  number  of  a  packet  with 

IEEE  802.2  encapsulation  in  decimal,  hexadecimal,  or  octal 
with  optional  mask  of  don't  care  bits. 

•  aarp  I  amber  I  dec-spanning  I  decnet-iv  I  diagnostic  I  dsm  I 
etype-6000  I  etype-8042  I  lat  I  lavc-sca  I  mop-console  I 
mop-dump  I  msdos  I  mumps  I  netbios  I  vines-echo  Ivines-ip 
I  xns-idp — A  non-IP  protocol. 

•  cos  cos — An  IEEE  802. 1Q  cost  of  service  number  from  0  to  7 
used  to  set  priority. 


Step  4 
Step  5 
Step  6 


end 


Return  to  privileged  EXEC  mode. 


show  access-lists  [number  I  name] 


Show  the  access  list  configuration. 


copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


Use  the  no  mac  access-list  extended  name  global  configuration  command  to  delete  the  entire  ACL.  You 
can  also  delete  individual  ACEs  from  named  MAC  extended  ACLs. 

This  example  shows  how  to  create  and  display  an  access  list  named  macl,  denying  only  EtherType 
DECnet  Phase  IV  traffic,  but  permitting  all  other  types  of  traffic. 

Switch (config) #  mac  access-list  extended  macl 

Switch (conf ig-ext-macl ) #  deny  any  any  decnet-iv 
Switch (conf ig-ext-macl ) #  permit  any  any 

Switch ( conf ig-ext-macl ) #  end 
Switch  #  show  access-lists 

Extended  MAC  access  list  macl 

10  deny      any  any  decnet-iv 
2  0  permit  any  any 


Applying  a  MAC  ACL  to  a  Layer  2  Interface 

After  you  create  a  MAC  ACL,  you  can  apply  it  to  a  Layer  2  interface  to  filter  non-IP  traffic  coming  in 
that  interface.  When  you  apply  the  MAC  ACL,  consider  these  guidelines: 

•  If  you  apply  an  ACL  to  a  Layer  2  interface  that  is  a  member  of  a  VLAN,  the  Layer  2  (port)  ACL 
takes  precedence  over  a  VLAN  map  applied  to  the  VLAN.  Incoming  packets  received  on  the  Layer 
2  port  are  always  filtered  by  the  port  ACL. 

•  You  can  apply  no  more  than  one  IP  access  list  and  one  MAC  access  list  to  the  same  Layer  2 
interface.  The  IP  access  list  filters  only  IP  packets,  and  the  MAC  access  list  filters  non-IP  packets. 
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A  Layer  2  interface  can  have  only  one  MAC  access  list.  If  you  apply  a  MAC  access  list  to  a  Layer  2 
interface  that  has  a  MAC  ACL  configured,  the  new  ACL  replaces  the  previously  configured  one. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  apply  a  MAC  access  list  to  control  access  to 
a  Layer  2  interface: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Identify  a  specific  interface,  and  enter  interface  configuration 
mode.  The  interface  must  be  a  physical  Layer  2  interface  (port 
ACL). 

mac  access-group  {name}  {in} 

Control  access  to  the  specified  interface  by  using  the  MAC  access 
list. 

Port  ACLs  are  supported  only  in  the  inbound  direction. 

end 

Return  to  privileged  EXEC  mode. 

show  mac  access-group  [interface  interface-id] 

Display  the  MAC  access  list  applied  to  the  interface  or  all  Layer  2 
interfaces. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  the  specified  access  group,  use  the  no  mac  access-group  {name}  interface  configuration 
command. 

This  example  shows  how  to  apply  MAC  access  list  macl  to  a  port  to  filter  packets  entering  the  port: 

Switch (config) #  interface  gigabitethernetO/2 
Router (config-if) #  mac  access-group  macl  in 


Note      The  mac  access-group  interface  configuration  command  is  only  valid  when  applied  to  a  physical 
Layer  2  interface.  You  cannot  use  the  command  on  EtherChannel  port  channels. 


After  receiving  a  packet,  the  switch  checks  it  against  the  inbound  ACL.  If  the  ACL  permits  it,  the  switch 
continues  to  process  the  packet.  If  the  ACL  rejects  the  packet,  the  switch  discards  it.  When  you  apply  an 
undefined  ACL  to  an  interface,  the  switch  acts  as  if  the  ACL  has  not  been  applied  and  permits  all 
packets.  Remember  this  behavior  if  you  use  undefined  ACLs  for  network  security. 


Configuring  VLAN  Maps 

This  section  describes  how  to  configure  VLAN  maps,  which  is  the  only  way  to  control  filtering  within 
a  VLAN.  VLAN  maps  have  no  direction.  To  filter  traffic  in  a  specific  direction  by  using  a  VLAN  map, 
you  need  to  include  an  ACL  with  specific  source  or  destination  addresses.  If  there  is  a  match  clause  for 
that  type  of  packet  (IP  or  MAC)  in  the  VLAN  map,  the  default  action  is  to  drop  the  packet  if  the  packet 
does  not  match  any  of  the  entries  within  the  map.  If  there  is  no  match  clause  for  that  type  of  packet,  the 
default  is  to  forward  the  packet. 

For  complete  syntax  and  usage  information  for  the  commands  used  in  this  section,  see  the  command 
reference  for  this  release. 
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Configuring  VLAN  Maps  M 


To  create  a  VLAN  map  and  apply  it  to  one  or  more  VLANs,  perform  these  steps: 


Create  the  standard  or  extended  IPv4  ACLs  or  named  MAC  extended  ACLs  that  you  want  to  apply  to 
the  VLAN.  See  the  "Creating  Standard  and  Extended  IPv4  ACLs"  section  on  page  26-6  and  the 
"Creating  a  VLAN  Map"  section  on  page  26-24. 

Enter  the  vlan  access-map  global  configuration  command  to  create  a  VLAN  ACL  map  entry. 

In  access-map  configuration  mode,  optionally  enter  an  action — forward  (the  default)  or  drop — and 
enter  the  match  command  to  specify  an  IP  packet  or  a  non-IP  packet  (with  only  a  known  MAC  address) 
and  to  match  the  packet  against  one  or  more  ACLs  (standard  or  extended). 


If  the  VLAN  map  is  configured  with  a  match  clause  for  a  type  of  packet  (IP  or  MAC)  and  the  map  action 
is  drop,  all  packets  that  match  the  type  are  dropped.  If  the  VLAN  map  has  no  match  clause,  and  the 
configured  action  is  drop,  all  IP  and  Layer  2  packets  are  dropped. 


Use  the  vlan  filter  global  configuration  command  to  apply  a  VLAN  map  to  one  or  more  VLANs. 


These  sections  contain  this  configuration  information: 

•  VLAN  Map  Configuration  Guidelines,  page  26-23 

•  Creating  a  VLAN  Map,  page  26-24 

•  Applying  a  VLAN  Map  to  a  VLAN,  page  26-26 

•  Using  VLAN  Maps  in  Your  Network,  page  26-27 

VLAN  Map  Configuration  Guidelines 

Follow  these  guidelines  when  configuring  VLAN  maps: 

•  If  there  is  no  ACL  configured  to  deny  traffic  on  an  interface  and  no  VLAN  map  is  configured,  all 
traffic  is  permitted. 

•  Each  VLAN  map  consists  of  a  series  of  entries.  The  order  of  entries  in  an  VLAN  map  is  important. 
A  packet  that  comes  into  the  switch  is  tested  against  the  first  entry  in  the  VLAN  map.  If  it  matches, 
the  action  specified  for  that  part  of  the  VLAN  map  is  taken.  If  there  is  no  match,  the  packet  is  tested 
against  the  next  entry  in  the  map. 

•  If  the  VLAN  map  has  at  least  one  match  clause  for  the  type  of  packet  (IP  or  MAC)  and  the  packet 
does  not  match  any  of  these  match  clauses,  the  default  is  to  drop  the  packet.  If  there  is  no  match 
clause  for  that  type  of  packet  in  the  VLAN  map,  the  default  is  to  forward  the  packet. 

•  The  system  might  take  longer  to  boot  up  if  you  have  configured  a  very  large  number  of  ACLs. 

•  Logging  is  not  supported  for  VLAN  maps. 

•  If  VLAN  map  configuration  cannot  be  applied  in  hardware,  all  packets  in  that  VLAN  must  be 
forwarded  by  software. 

•  When  a  switch  has  an  IP  access  list  or  MAC  access  list  applied  to  a  Layer  2  interface,  and  you  apply 
a  VLAN  map  to  a  VLAN  that  the  port  belongs  to,  the  port  ACL  takes  precedence  over  the  VLAN 
map. 

For  configuration  examples,  see  the  "Using  VLAN  Maps  in  Your  Network"  section  on  page  26-27. 


Step  1 

Step  2 
Step  3 

% 
Note 

Step  4 
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Creating  a  VLAN  Map 

Each  VLAN  map  consists  of  an  ordered  series  of  entries.  Beginning  in  privileged  EXEC  mode,  follow 
these  steps  to  create,  add  to,  or  delete  a  VLAN  map  entry: 


Step  1 
Step  2 


Step  3 
Step  4 


Step  5 
Step  6 
Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

vlan  access-map  name  [number] 

Create  a  VLAN  map,  and  give  it  a  name  and  (optionally)  a  number.  The 
number  is  the  sequence  number  of  the  entry  within  the  map. 

When  you  create  VLAN  maps  with  the  same  name,  numbers  are  assigned 
sequentially  in  increments  of  10.  When  modifying  or  deleting  maps,  you 
can  enter  the  number  of  the  map  entry  that  you  want  to  modify  or  delete. 

Entering  this  command  changes  to  access-map  configuration  mode. 

action  {drop  I  forward} 

(Optional)  Set  the  action  for  the  map  entry.  The  default  is  to  forward. 

match  {ip  I  mac)  address  {name  I 
number}  [name  I  number] 

Match  the  packet  (using  either  the  IP  or  MAC  address)  against  one  or  more 
standard  or  extended  access  lists.  Note  that  packets  are  only  matched 
against  access  lists  of  the  correct  protocol  type.  IP  packets  are  matched 
against  standard  or  extended  IP  access  lists.  Non-IP  packets  are  only 
matched  against  named  MAC  extended  access  lists. 

end 

Return  to  global  configuration  mode. 

show  running-config 

Display  the  access  list  configuration. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Use  the  no  vlan  access-map  name  global  configuration  command  to  delete  a  map.  Use  the  no  vlan 
access-map  name  number  global  configuration  command  to  delete  a  single  sequence  entry  from  within 
the  map. 

Use  the  no  action  access-map  configuration  command  to  enforce  the  default  action,  which  is  to  forward. 

VLAN  maps  do  not  use  the  specific  permit  or  deny  keywords.  To  deny  a  packet  by  using  VLAN  maps, 
create  an  ACL  that  would  match  the  packet,  and  set  the  action  to  drop.  A  permit  in  the  ACL  counts  as  a 
match.  A  deny  in  the  ACL  means  no  match. 


Examples  of  ACLs  and  VLAN  Maps 

These  examples  show  how  to  create  ACLs  and  VLAN  maps  that  for  specific  purposes. 

Example  1 

This  example  shows  how  to  create  an  ACL  and  a  VLAN  map  to  deny  a  packet.  In  the  first  map,  any 
packets  that  match  the  ipl  ACL  (TCP  packets)  would  be  dropped.  You  first  create  the  ipl  ACL  to  permit 
any  TCP  packet  and  no  other  packets.  Because  there  is  a  match  clause  for  IP  packets  in  the  VLAN  map, 
the  default  action  is  to  drop  any  IP  packet  that  does  not  match  any  of  the  match  clauses. 

Switch (config) #  ip  access-list  extended  ipl 

Switch (conf ig-ext-nacl ) #  permit  tcp  any  any 
Switch (conf ig-ext-nacl ) #  exit 
Switch (conf ig) #  vlan  access-map  map_l  10 
Switch (conf ig-access-map) #  match  ip  address  ipl 
Switch (conf ig-access-map) #  action  drop 
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Configuring  VLAN  Maps  B5 


This  example  shows  how  to  create  a  VLAN  map  to  permit  a  packet.  ACL  ip2  permits  UDP  packets  and 
any  packets  that  match  the  ip2  ACL  are  forwarded.  In  this  map,  any  IP  packets  that  did  not  match  any 
of  the  previous  ACLs  (that  is,  packets  that  are  not  TCP  packets  or  UDP  packets)  would  get  dropped. 

Switch (config) #  ip  access-list  extended  ip2 

Switch ( conf ig-ext-nacl ) #  permit  udp  any  any 
Switch (conf ig-ext-nacl ) #  exit 
Switch (conf ig) #  vlan  access-map  map_l  20 
Switch (conf ig-access-map) #  match  ip  address  ip2 
Switch (conf ig-access-map) #  action  forward 


Example  2 


In  this  example,  the  VLAN  map  has  a  default  action  of  drop  for  IP  packets  and  a  default  action  of  forward 
for  MAC  packets.  Used  with  standard  ACL  101  and  extended  named  access  lists  igmp-match  and 
tcp-match,  the  map  will  have  the  following  results: 

•  Forward  all  UDP  packets 

•  Drop  all  IGMP  packets 

•  Forward  all  TCP  packets 

•  Drop  all  other  IP  packets 

•  Forward  all  non-IP  packets 

Switch (conf ig) #  access-list  101  permit  udp  any  any 
Switch (conf ig) #  ip  access-list  extended  igmp-match 

Switch (conf ig-ext-nacl ) #  permit  igmp  any  any 
Switch (conf ig) #  ip  access-list  extended  tcp-match 

Switch (conf ig-ext-nacl ) #  permit  tcp  any  any 

Switch (conf ig-ext-nacl ) #  exit 

Switch ( conf ig) #  vlan  access-map  drop-ip-def ault  10 

Switch (conf ig-access-map) #  match  ip  address  101 
Switch (conf ig-access-map) #  action  forward 

Switch (conf ig-access-map) #  exit 

Switch (conf ig) #  vlan  access-map  drop-ip-def ault  20 

Switch (conf ig-access-map) #  match  ip  address  igmp-match 

Switch (conf ig-access-map) #  action  drop 
Switch (conf ig-access-map) #  exit 

Switch (conf ig) #  vlan  access-map  drop-ip-def ault  30 

Switch (conf ig-access-map) #  match  ip  address  tcp-match 
Switch (conf ig-access-map) #  action  forward 


Example  3 

In  this  example,  the  VLAN  map  has  a  default  action  of  drop  for  MAC  packets  and  a  default  action  of 
forward  for  IP  packets.  Used  with  MAC  extended  access  lists  good-hosts  and  good-protocols,  the  map 
will  have  the  following  results: 

•  Forward  MAC  packets  from  hosts  0000.0c00.01 1 1  and  0000.0c00.021 1 

•  Forward  MAC  packets  with  decnet-iv  or  vines-ip  protocols 

•  Drop  all  other  non-IP  packets 

•  Forward  all  IP  packets 

Switch (conf ig) #  mac  access-list  extended  good-hosts 
Switch (conf ig-ext-macl ) #  permit  host  000 . OcOO . 0111  any 
Switch (conf ig-ext-macl ) #  permit  host  000 . OcOO . 0211  any 

Switch ( conf ig-ext-nacl ) #  exit 

Switch (conf ig) #  mac  access-list  extended  good-protocols 

Switch (conf ig-ext-macl ) #  permit  any  any  decnet-ip 
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Switch (conf ig-ext-macl ) #  permit  any  any  vines-ip 

Switch (conf ig-ext-nacl ) #  exit 

Switch (conf ig) #  vlan  access-map  drop-mac-default  10 

Switch (conf ig-access-map) #  match  mac  address  good-hosts 
Switch (conf ig-access-map) #  action  forward 

Switch (conf ig-access-map) #  exit 

Switch (conf ig) #  vlan  access-map  drop-mac-default  20 

Switch (conf ig-access-map) #  match  mac  address  good-protocols 

Switch (conf ig-access-map) #  action  forward 

Example  4 

In  this  example,  the  VLAN  map  has  a  default  action  of  drop  for  all  packets  (IP  and  non-IP).  Used  with 
access  lists  tcp-match  and  good-hosts  from  Examples  2  and  3,  the  map  will  have  the  following  results: 

•  Forward  all  TCP  packets 

•  Forward  MAC  packets  from  hosts  0000.0c00.01 1 1  and  0000.0c00.021 1 

•  Drop  all  other  IP  packets 

•  Drop  all  other  MAC  packets 

Switch (conf ig) #  vlan  access-map  drop-all-default  10 

Switch (conf ig-access-map) #  match  ip  address  tcp-match 
Switch (conf ig-access-map) #  action  forward 

Switch (conf ig-access-map) #  exit 

Switch (conf ig) #  vlan  access-map  drop-all-default  20 

Switch (conf ig-access-map) #  match  mac  address  good-hosts 
Switch (conf ig-access-map) #  action  forward 


Applying  a  VLAN  Map  to  a  VLAN 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  apply  a  VLAN  map  to  one  or  more  VLANs: 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

vlan  filter  mapname  vlan-list  list 

Apply  the  VLAN  map  to  one  or  more  VLAN  IDs. 

The  list  can  be  a  single  VLAN  ID  (22),  a  consecutive  list  (10-22),  or  a  string 
of  VLAN  IDs  (12,  22,  30).  Spaces  around  the  comma  and  hyphen  are 
optional. 

Step  3 

show  running-config 

Display  the  access  list  configuration. 

Step  4 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  the  VLAN  map,  use  the  no  vlan  filter  mapname  vlan-list  list  global  configuration  command. 
This  example  shows  how  to  apply  VLAN  map  1  to  VLANs  20  through  22: 

Switch (conf ig) #  vlan  filter  map  1  vlan-list  20-22 
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Using  VLAN  Maps  in  Your  Network 

These  sections  describes  some  typical  uses  for  VLAN  maps: 

•  Wiring  Closet  Configuration,  page  26-27 

•  Denying  Access  to  a  Server  on  a  VLAN,  page  26-28 

Wiring  Closet  Configuration 

In  a  wiring  closet  configuration,  the  switch  can  support  a  VLAN  map  and  a  QoS  classification  ACL.  In 
Figure  26-3,  assume  that  Host  X  and  Host  Y  are  in  different  VLANs  and  are  connected  to  wiring  closet 
switches  A  and  C.  Traffic  from  Host  X  to  Host  Y  is  eventually  being  routed  by  Switch  B,  a  Layer  3 
switch  with  routing  enabled.  Traffic  from  Host  X  to  Host  Y  can  be  access-controlled  at  the  traffic  entry 
point,  Switch  A. 


If  you  do  not  want  HTTP  traffic  switched  from  Host  X  to  Host  Y,  you  can  configure  a  VLAN  map  on 
Switch  A  to  drop  all  HTTP  traffic  from  Host  X  (IP  address  10.1.1.32)  to  Host  Y  (IP  address  10.1.1.34) 
at  Switch  A  and  not  bridge  it  to  Switch  B. 

First,  define  the  IP  access  list  http  that  permits  (matches)  any  TCP  traffic  on  the  HTTP  port. 

Switch (config) #  ip  access-list  extended  http 

Switch (conf ig-ext-nacl ) #  permit  tcp  host  10.1.1.32  host  10.1.1.34  eq  www 

Switch ( conf ig-ext-nacl ) #  exit 
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Next,  create  VLAN  access  map  map2  so  that  traffic  that  matches  the  http  access  list  is  dropped  and  all 
other  IP  traffic  is  forwarded. 

Switch (config) #  vlan  access-map  map2  10 

Switch (conf ig-access-map) #  match  ip  address  http 

Switch (conf ig-access-map) #  action  drop 

Switch (conf ig-access-map) #  exit 

Switch (conf ig) #  ip  access-list  extended  match_all 

Switch ( conf ig-ext-nacl ) #  permit  ip  any  any 

Switch ( conf ig-ext-nacl ) #  exit 

Switch ( conf ig) #  vlan  access-map  map2  20 

Switch (conf ig-access-map) #  match  ip  address  match_all 

Switch (conf ig-access-map) #  action  forward 

Then,  apply  VLAN  access  map  map2  to  VLAN  1. 

Switch (conf ig) #  vlan  filter  map2  vlan  1 

Denying  Access  to  a  Server  on  a  VLAN 

You  can  restrict  access  to  a  server  on  a  VLAN.  For  example,  server  10.1.1.100  in  VLAN  10  needs  to 
have  access  denied  to  hosts  10.1.1.4  and  10.1.1.8  (see  Figure  26-4): 

Figure  26-4        Deny  Access  to  a  Server  on  a  VLAN 


VLAN  map 


This  example  shows  how  to  deny  access  to  a  server  on  another  VLAN  by  creating  the  VLAN  map 
SERVER  1  that  denies  access  to  hosts  in  subnet  10.1.2.0.8,  host  10.1.1.4,  and  host  10.1.1.8  and  permits 
other  IP  traffic.  The  final  step  is  to  apply  the  map  SERVER  1  to  VLAN  10. 


Step  1      Define  the  IP  ACL  that  will  match  the  correct  packets. 

Switch (conf ig) #  ip  access-list  extended  SERVER1_ACL 

Switch ( conf ig-ext-nacl) ) #  permit  ip  host  10.1.1.4  host  10.1.1.100 

Switch ( conf ig-ext-nacl) ) #  permit  ip  host  10.1.1.8  host  10.1.1.100 

Switch ( conf ig-ext-nacl )) #  exit 

Step  2      Define  a  VLAN  map  using  this  ACL  that  will  drop  IP  packets  that  match  SERVER1_ACL  and  forward 
IP  packets  that  do  not  match  the  ACL. 

Switch (conf ig) #  vlan  access-map  SERVER1_MAP 

Switch (conf ig-access-map) #  match  ip  address  SERVER1_ACL 

Switch ( conf ig-access-map) #  action  drop 
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Switch (config) #  vlan  access-map  SERVER1_MAP  20 

Switch (conf ig-access-map) #  action  forward 

Switch(conf ig-access-map) #  exit 

Step  3      Apply  the  VLAN  map  to  VLAN  10. 

Switchfconf ig) #  vlan  filter  SERVER1_MAP  vlan-list  10. 


IPv4  ACL  Configuration 

You  can  display  the  ACLs  that  are  configured  on  the  switch,  and  you  can  display  the  ACLs  that  have 
been  applied  to  interfaces  and  VLANs. 

When  you  use  the  ip  access-group  interface  configuration  command  to  apply  ACLs  to  a  Layer  2 
interface,  you  can  display  the  access  groups  on  the  interface.  You  can  also  display  the  MAC  ACLs 
applied  to  a  Layer  2  interface.  You  can  use  the  privileged  EXEC  commands  as  described  in  Table  26-2 
to  display  this  information. 


Table  26-2         Commands  for  Displaying  Access  Lists  and  Access  Groups 


Command 

Purpose 

show  access-lists  [number  1  name] 

Display  the  contents  of  one  or  all  current  IP  and  MAC  address  access  lists 
or  a  specific  access  list  (numbered  or  named). 

show  ip  access-lists  [number  1  name] 

Display  the  contents  of  all  current  IP  access  lists  or  a  specific  IP  access  list 
(numbered  or  named). 

show  running-config  [interface  interface-id] 

Displays  the  contents  of  the  configuration  file  for  the  switch  or  the 
specified  interface,  including  all  configured  MAC  and  IP  access  lists  and 
which  access  groups  are  applied  to  an  interface. 

show  mac  access-group  [interface  interface-id] 

Displays  MAC  access  lists  applied  to  all  Layer  2  interfaces  or  the  specified 
Layer  2  interface. 

You  can  also  display  information  about  VLAN  access  maps  or  VLAN  filters.  Use  the  privileged  EXEC 
commands  in  Table  26-3  to  display  VLAN  map  information. 

Table  26-3  Commands  for  Displaying  VLAN  Map  Information 


Command 

Purpose 

show  vlan  access-map  [mapname] 

Show  information  about  all  VLAN  access  maps  or  the 
specified  access  map. 

show  vlan  filter  [access-map  name  1  vlan  vlan-id] 

Show  information  about  all  VLAN  filters  or  about  a  specified 
VLAN  or  VLAN  access  map. 

Displaying 
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Configuring  QoS 


This  chapter  describes  how  to  configure  quality  of  service  (QoS)  by  using  automatic  QoS  (auto-QoS) 
commands  or  by  using  standard  QoS  commands  on  the  switch.  With  QoS,  you  can  provide  preferential 
treatment  to  certain  types  of  traffic  at  the  expense  of  others.  Without  QoS,  the  switch  offers  best-effort 
service  to  each  packet,  regardless  of  the  packet  contents  or  size.  It  sends  the  packets  without  any 
assurance  of  reliability,  delay  bounds,  or  throughput. 

You  can  configure  QoS  on  physical  ports  and  on  switch  virtual  interfaces  (SVIs).  Other  than  to  apply 
policy  maps,  you  configure  the  QoS  settings,  such  as  classification,  queueing,  and  scheduling,  the  same 
way  on  physical  ports  and  SVIs.  When  configuring  QoS  on  a  physical  port,  you  apply  a  nonhierarchical 
policy  map.  When  configuring  QoS  on  an  SVI,  you  apply  a  nonhierarchical  or  a  hierarchical  policy  map. 

X   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  this  release. 

This  chapter  consists  of  these  sections: 

•  Understanding  QoS,  page  27-1 

•  Configuring  Auto-QoS,  page  27-20 

•  Displaying  Auto-QoS  Information,  page  27-29 

•  Configuring  Standard  QoS,  page  27-29 

•  Displaying  Standard  QoS  Information,  page  27-75 

The  switch  supports  some  of  the  modular  QoS  CLI  (MQC)  commands.  For  more  information  about  the 
MQC  commands,  see  the  "Modular  Quality  of  Service  Command-Line  Interface  Overview"  at  this  site: 

http://www.cisco.com/en/US/products/sw/iosswrel/psl835/products_configuration_guide_chapter0918 
6a00800bd908.html 

Understanding  QoS 

Typically,  networks  operate  on  a  best-effort  delivery  basis,  which  means  that  all  traffic  has  equal  priority 
and  an  equal  chance  of  being  delivered  in  a  timely  manner.  When  congestion  occurs,  all  traffic  has  an 
equal  chance  of  being  dropped. 

When  you  configure  the  QoS  feature,  you  can  select  specific  network  traffic,  prioritize  it  according  to 
its  relative  importance,  and  use  congestion-management  and  congestion-avoidance  techniques  to 
provide  preferential  treatment.  Implementing  QoS  in  your  network  makes  network  performance  more 
predictable  and  bandwidth  utilization  more  effective. 
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The  QoS  implementation  is  based  on  the  Differentiated  Services  (Diff-Serv)  architecture,  an  emerging 
standard  from  the  Internet  Engineering  Task  Force  (IETF).  This  architecture  specifies  that  each  packet 
is  classified  upon  entry  into  the  network. 

The  classification  is  carried  in  the  IP  packet  header,  using  6  bits  from  the  deprecated  IP  type  of  service 
(ToS)  field  to  carry  the  classification  (class)  information.  Classification  can  also  be  carried  in  the 
Layer  2  frame.  These  special  bits  in  the  Layer  2  frame  or  a  Layer  3  packet  are  described  here  and  shown 
in  Figure  27-1: 

•  Prioritization  bits  in  Layer  2  frames: 

Layer  2  Inter-Switch  Link  (ISL)  frame  headers  have  a  1-byte  User  field  that  carries  an  IEEE  802.  lp 
class  of  service  (CoS)  value  in  the  three  least-significant  bits.  On  ports  configured  as  Layer  2  ISL 
trunks,  all  traffic  is  in  ISL  frames. 

Layer  2  802. 1Q  frame  headers  have  a  2-byte  Tag  Control  Information  field  that  carries  the  CoS 
value  in  the  three  most-significant  bits,  which  are  called  the  User  Priority  bits.  On  ports  configured 
as  Layer  2  802. 1Q  trunks,  all  traffic  is  in  802. 1Q  frames  except  for  traffic  in  the  native  VLAN. 

Other  frame  types  cannot  carry  Layer  2  CoS  values. 

Layer  2  CoS  values  range  from  0  for  low  priority  to  7  for  high  priority. 

•  Prioritization  bits  in  Layer  3  packets: 

Layer  3  IP  packets  can  carry  either  an  IP  precedence  value  or  a  Differentiated  Services  Code  Point 
(DSCP)  value.  QoS  supports  the  use  of  either  value  because  DSCP  values  are  backward-compatible 
with  IP  precedence  values. 

IP  precedence  values  range  from  0  to  7. 

DSCP  values  range  from  0  to  63. 

X   

Note      IPv6  QoS  is  not  supported  in  this  release. 
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Figure  27- 1         QoS  Classification  Layers  in  Frames  and  Packets 
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All  switches  and  routers  that  access  the  Internet  rely  on  the  class  information  to  provide  the  same 
forwarding  treatment  to  packets  with  the  same  class  information  and  different  treatment  to  packets  with 
different  class  information.  The  class  information  in  the  packet  can  be  assigned  by  end  hosts  or  by 
switches  or  routers  along  the  way,  based  on  a  configured  policy,  detailed  examination  of  the  packet,  or 
both.  Detailed  examination  of  the  packet  is  expected  to  happen  closer  to  the  edge  of  the  network  so  that 
the  core  switches  and  routers  are  not  overloaded  with  this  task. 

Switches  and  routers  along  the  path  can  use  the  class  information  to  limit  the  amount  of  resources 
allocated  per  traffic  class.  The  behavior  of  an  individual  device  when  handling  traffic  in  the  DiffServ 
architecture  is  called  per-hop  behavior.  If  all  devices  along  a  path  provide  a  consistent  per-hop  behavior, 
you  can  construct  an  end-to-end  QoS  solution. 

Implementing  QoS  in  your  network  can  be  a  simple  or  complex  task  and  depends  on  the  QoS  features 
offered  by  your  internetworking  devices,  the  traffic  types  and  patterns  in  your  network,  and  the 
granularity  of  control  that  you  need  over  incoming  and  outgoing  traffic. 


Basic  QoS  Model 

To  implement  QoS,  the  switch  must  distinguish  packets  or  flow  from  one  another  (classify),  assign  a 
label  to  indicate  the  given  quality  of  service  as  the  packets  move  through  the  switch,  make  the  packets 
comply  with  the  configured  resource  usage  limits  (police  and  mark),  and  provide  different  treatment 
(queue  and  schedule)  in  all  situations  where  resource  contention  exists.  The  switch  also  needs  to  ensure 
that  traffic  sent  from  it  meets  a  specific  traffic  profile  (shape). 
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Figure  27-2  shows  the  basic  QoS  model.  Actions  at  the  ingress  port  include  classifying  traffic,  policing, 
marking,  queueing,  and  scheduling: 

•  Classifying  a  distinct  path  for  a  packet  by  associating  it  with  a  QoS  label.  The  switch  maps  the  CoS 
or  DSCP  in  the  packet  to  a  QoS  label  to  distinguish  one  kind  of  traffic  from  another.  The  QoS  label 
that  is  generated  identifies  all  future  QoS  actions  to  be  performed  on  this  packet.  For  more 
information,  see  the  "Classification"  section  on  page  27-5. 

•  Policing  determines  whether  a  packet  is  in  or  out  of  profile  by  comparing  the  rate  of  the  incoming 
traffic  to  the  configured  policer.  The  policer  limits  the  bandwidth  consumed  by  a  flow  of  traffic.  The 
result  is  passed  to  the  marker.  For  more  information,  see  the  "Policing  and  Marking"  section  on 
page  27-8. 

•  Marking  evaluates  the  policer  and  configuration  information  for  the  action  to  be  taken  when  a  packet 
is  out  of  profile  and  determines  what  to  do  with  the  packet  (pass  through  a  packet  without 
modification,  mark  down  the  QoS  label  in  the  packet,  or  drop  the  packet).  For  more  information,  see 
the  "Policing  and  Marking"  section  on  page  27-8. 

•  Queueing  evaluates  the  QoS  label  and  the  corresponding  DSCP  or  CoS  value  to  select  into  which  of 
the  two  ingress  queues  to  place  a  packet.  Queueing  is  enhanced  with  the  weighted  tail-drop  (WTD) 
algorithm,  a  congestion-avoidance  mechanism.  If  the  threshold  is  exceeded,  the  packet  is  dropped. 
For  more  information,  see  the  "Queueing  and  Scheduling  Overview"  section  on  page  27-13. 

•  Scheduling  services  the  queues  based  on  their  configured  shaped  round  robin  (SRR)  weights.  One 
of  the  ingress  queues  is  the  priority  queue,  and  SRR  services  it  for  its  configured  share  before 
servicing  the  other  queue.  For  more  information,  see  the  "SRR  Shaping  and  Sharing"  section  on 
page  27-14. 

Actions  at  the  egress  port  include  queueing  and  scheduling: 

•  Queueing  evaluates  the  QoS  packet  label  and  the  corresponding  DSCP  or  CoS  value  before  selecting 
which  of  the  four  egress  queues  to  use.  Because  congestion  can  occur  when  multiple  ingress  ports 
simultaneously  send  data  to  an  egress  port,  WTD  differentiates  traffic  classes  and  subjects  the 
packets  to  different  thresholds  based  on  the  QoS  label.  If  the  threshold  is  exceeded,  the  packet  is 
dropped.  For  more  information,  see  the  "Queueing  and  Scheduling  Overview"  section  on 

page  27-13. 

•  Scheduling  services  the  four  egress  queues  based  on  their  configured  SRR  shared  or  shaped  weights. 
One  of  the  queues  (queue  1)  can  be  the  expedited  queue,  which  is  serviced  until  empty  before  the 
other  queues  are  serviced. 


Figure  27-2 
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Classification 

Classification  is  the  process  of  distinguishing  one  kind  of  traffic  from  another  by  examining  the  fields 
in  the  packet.  Classification  is  enabled  only  if  QoS  is  globally  enabled  on  the  switch.  By  default,  QoS  is 
globally  disabled,  so  no  classification  occurs. 

During  classification,  the  switch  performs  a  lookup  and  assigns  a  QoS  label  to  the  packet.  The  QoS  label 
identifies  all  QoS  actions  to  be  performed  on  the  packet  and  from  which  queue  the  packet  is  sent. 

The  QoS  label  is  based  on  the  DSCP  or  the  CoS  value  in  the  packet  and  decides  the  queueing  and 
scheduling  actions  to  perform  on  the  packet.  The  label  is  mapped  according  to  the  trust  setting  and  the 
packet  type  as  shown  in  Figure  27-3  on  page  27-6. 

You  specify  which  fields  in  the  frame  or  packet  that  you  want  to  use  to  classify  incoming  traffic.  For 
non-IP  traffic,  you  have  these  classification  options  as  shown  in  Figure  27-3: 

•  Trust  the  CoS  value  in  the  incoming  frame  (configure  the  port  to  trust  CoS).  Then  use  the 
configurable  CoS-to-DSCP  map  to  generate  a  DSCP  value  for  the  packet.  Layer  2  ISL  frame  headers 
carry  the  CoS  value  in  the  3  least-significant  bits  of  the  1-byte  User  field.  Layer  2  802. 1Q  frame 
headers  carry  the  CoS  value  in  the  3  most-significant  bits  of  the  Tag  Control  Information  field.  CoS 
values  range  from  0  for  low  priority  to  7  for  high  priority. 

•  Trust  the  DSCP  or  trust  IP  precedence  value  in  the  incoming  frame.  These  configurations  are 
meaningless  for  non-IP  traffic.  If  you  configure  a  port  with  either  of  these  options  and  non-IP  traffic 
is  received,  the  switch  assigns  a  CoS  value  and  generates  an  internal  DSCP  value  from  the 
CoS-to-DSCP  map.  The  switch  uses  the  internal  DSCP  value  to  generate  a  CoS  value  representing 
the  priority  of  the  traffic. 

•  Perform  the  classification  based  on  a  configured  Layer  2  MAC  access  control  list  (ACL),  which  can 
examine  the  MAC  source  address,  the  MAC  destination  address,  and  other  fields.  If  no  ACL  is 
configured,  the  packet  is  assigned  0  as  the  DSCP  and  CoS  values,  which  means  best-effort  traffic. 
Otherwise,  the  policy-map  action  specifies  a  DSCP  or  CoS  value  to  assign  to  the  incoming  frame. 

For  IP  traffic,  you  have  these  classification  options  as  shown  in  Figure  27-3: 

•  Trust  the  DSCP  value  in  the  incoming  packet  (configure  the  port  to  trust  DSCP),  and  assign  the  same 
DSCP  value  to  the  packet.  The  IETF  defines  the  6  most-significant  bits  of  the  1-byte  ToS  field  as 
the  DSCP.  The  priority  represented  by  a  particular  DSCP  value  is  configurable.  DSCP  values  range 
from  0  to  63. 

For  ports  that  are  on  the  boundary  between  two  QoS  administrative  domains,  you  can  modify  the 
DSCP  to  another  value  by  using  the  configurable  DSCP-to-DSCP-mutation  map. 

•  Trust  the  IP  precedence  value  in  the  incoming  packet  (configure  the  port  to  trust  IP  precedence),  and 
generate  a  DSCP  value  for  the  packet  by  using  the  configurable  IP-precedence-to-DSCP  map.  The 
IP  Version  4  specification  defines  the  3  most-significant  bits  of  the  1-byte  ToS  field  as  the  IP 
precedence.  IP  precedence  values  range  from  0  for  low  priority  to  7  for  high  priority. 

•  Trust  the  CoS  value  (if  present)  in  the  incoming  packet,  and  generate  a  DSCP  value  for  the  packet  by 
using  the  CoS-to-DSCP  map.  If  the  CoS  value  is  not  present,  use  the  default  port  CoS  value. 

•  Perform  the  classification  based  on  a  configured  IP  standard  or  an  extended  ACL,  which  examines 
various  fields  in  the  IP  header.  If  no  ACL  is  configured,  the  packet  is  assigned  0  as  the  DSCP  and 
CoS  values,  which  means  best-effort  traffic.  Otherwise,  the  policy-map  action  specifies  a  DSCP  or 
CoS  value  to  assign  to  the  incoming  frame. 

For  information  on  the  maps  described  in  this  section,  see  the  "Mapping  Tables"  section  on  page  27-12. 
For  configuration  information  on  port  trust  states,  see  the  "Configuring  Classification  Using  Port  Trust 
States"  section  on  page  27-35. 
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After  classification,  the  packet  is  sent  to  the  policing,  marking,  and  the  ingress  queueing  and  scheduling 
stages. 


Figure  27-3         Classification  Flowchart 
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Classification  Based  on  QoS  ACLs 

You  can  use  IP  standard,  IP  extended,  or  Layer  2  MAC  ACLs  to  define  a  group  of  packets  with  the  same 
characteristics  (class).  In  the  QoS  context,  the  permit  and  deny  actions  in  the  access  control  entries 
(ACEs)  have  different  meanings  than  with  security  ACLs: 

•  If  a  match  with  a  permit  action  is  encountered  (first-match  principle),  the  specified  QoS-related 
action  is  taken. 

•  If  a  match  with  a  deny  action  is  encountered,  the  ACL  being  processed  is  skipped,  and  the  next  ACL 
is  processed. 

•  If  no  match  with  a  permit  action  is  encountered  and  all  the  ACEs  have  been  examined,  no  QoS 
processing  occurs  on  the  packet,  and  the  switch  offers  best-effort  service  to  the  packet. 

•  If  multiple  ACLs  are  configured  on  a  port,  the  lookup  stops  after  the  packet  matches  the  first  ACL 
with  a  permit  action,  and  QoS  processing  begins. 

X   

Note      When  creating  an  access  list,  remember  that,  by  default,  the  end  of  the  access  list  contains  an  implicit 
deny  statement  for  everything  if  it  did  not  find  a  match  before  reaching  the  end. 


After  a  traffic  class  has  been  defined  with  the  ACL,  you  can  attach  a  policy  to  it.  A  policy  might  contain 
multiple  classes  with  actions  specified  for  each  one  of  them.  A  policy  might  include  commands  to 
classify  the  class  as  a  particular  aggregate  (for  example,  assign  a  DSCP)  or  rate-limit  the  class.  This 
policy  is  then  attached  to  a  particular  port  on  which  it  becomes  effective. 

You  implement  IP  ACLs  to  classify  IP  traffic  by  using  the  access-list  global  configuration  command; 
you  implement  Layer  2  MAC  ACLs  to  classify  non-IP  traffic  by  using  the  mac  access-list  extended 
global  configuration  command.  For  configuration  information,  see  the  "Configuring  a  QoS  Policy" 
section  on  page  27-41. 

Classification  Based  on  Class  Maps  and  Policy  Maps 

A  class  map  is  a  mechanism  that  you  use  to  name  a  specific  traffic  flow  (or  class)  and  to  isolate  it  from 
all  other  traffic.  The  class  map  defines  the  criteria  used  to  match  against  a  specific  traffic  flow  to  further 
classify  it.  The  criteria  can  include  matching  the  access  group  defined  by  the  ACL  or  matching  a  specific 
list  of  DSCP  or  IP  precedence  values.  If  you  have  more  than  one  type  of  traffic  that  you  want  to  classify, 
you  can  create  another  class  map  and  use  a  different  name.  After  a  packet  is  matched  against  the 
class-map  criteria,  you  further  classify  it  through  the  use  of  a  policy  map. 

A  policy  map  specifies  which  traffic  class  to  act  on.  Actions  can  include  trusting  the  CoS,  DSCP,  or  IP 
precedence  values  in  the  traffic  class;  setting  a  specific  DSCP  or  IP  precedence  value  in  the  traffic  class; 
or  specifying  the  traffic  bandwidth  limitations  and  the  action  to  take  when  the  traffic  is  out  of  profile. 
Before  a  policy  map  can  be  effective,  you  must  attach  it  to  a  port. 

You  create  a  class  map  by  using  the  class-map  global  configuration  command  or  the  class  policy-map 
configuration  command.  You  should  use  the  class-map  command  when  the  map  is  shared  among  many 
ports.  When  you  enter  the  class-map  command,  the  switch  enters  the  class-map  configuration  mode.  In 
this  mode,  you  define  the  match  criterion  for  the  traffic  by  using  the  match  class-map  configuration 
command. 

You  create  and  name  a  policy  map  by  using  the  policy-map  global  configuration  command.  When  you 
enter  this  command,  the  switch  enters  the  policy-map  configuration  mode.  In  this  mode,  you  specify  the 
actions  to  take  on  a  specific  traffic  class  by  using  the  class,  trust,  or  set  policy-map  configuration  and 
policy-map  class  configuration  commands. 
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The  policy  map  can  contain  the  police  and  police  aggregate  policy-map  class  configuration  commands, 
which  define  the  policer,  the  bandwidth  limitations  of  the  traffic,  and  the  action  to  take  if  the  limits  are 
exceeded. 

To  enable  the  policy  map,  you  attach  it  to  a  port  by  using  the  service-policy  interface  configuration 
command. 

You  can  apply  a  nonhierarchical  policy  map  to  a  physical  port  or  an  SV1.  However,  a  hierarchical  policy 
map  can  only  be  applied  to  an  SVI.  A  hierarchical  policy  map  contains  two  levels.  The  first  level,  the 
VLAN  level,  specifies  the  actions  to  be  taken  against  a  traffic  flow  on  the  SVI.  The  second  level,  the 
interface  level,  specifies  the  actions  to  be  taken  against  the  traffic  on  the  physical  ports  that  belong  to 
the  SVI.  The  interface-level  actions  are  specified  in  the  interface-level  policy  map. 

For  more  information,  see  the  "Policing  and  Marking"  section  on  page  27-8.  For  configuration 
information,  see  the  "Configuring  a  QoS  Policy"  section  on  page  27-41. 

Policing  and  Marking 

After  a  packet  is  classified  and  has  a  DSCP-based  or  CoS-based  QoS  label  assigned  to  it,  the  policing 
and  marking  process  can  begin  as  shown  in  Figure  27-4. 

Policing  involves  creating  a  policer  that  specifies  the  bandwidth  limits  for  the  traffic.  Packets  that  exceed 
the  limits  are  out  of  profile  or  nonconforming.  Each  policer  decides  on  a  packet-by-packet  basis  whether 
the  packet  is  in  or  out  of  profile  and  specifies  the  actions  on  the  packet.  These  actions,  carried  out  by  the 
marker,  include  passing  through  the  packet  without  modification,  dropping  the  packet,  or  modifying 
(marking  down)  the  assigned  DSCP  of  the  packet  and  allowing  the  packet  to  pass  through.  The 
configurable  policed-DSCP  map  provides  the  packet  with  a  new  DSCP-based  QoS  label.  For 
information  on  the  policed-DSCP  map,  see  the  "Mapping  Tables"  section  on  page  27-12.  Marked-down 
packets  use  the  same  queues  as  the  original  QoS  label  to  prevent  packets  in  a  flow  from  getting  out  of 
order. 

X   

Note  All  traffic,  regardless  of  whether  it  is  bridged  or  routed,  is  subjected  to  a  policer,  if  one  is  configured. 
As  a  result,  bridged  packets  might  be  dropped  or  might  have  their  DSCP  or  CoS  fields  modified  when 
they  are  policed  and  marked. 


You  can  configure  policing  on  a  physical  port  or  an  SVI.  For  more  information  about  configuring 
policing  on  physical  ports,  see  the  "Policing  on  Physical  Ports"  section  on  page  27-9.  When  you 
configure  policy  maps  on  an  SVI,  you  can  create  a  hierarchical  policy  map  and  can  define  an  individual 
policer  only  in  the  secondary  interface-level  policy  map.  For  more  information,  see  the  "Policing  on 
SVIs"  section  on  page  27-10. 

After  you  configure  the  policy  map  and  policing  actions,  attach  the  policy  to  an  ingress  port  or  SVI  by 
using  the  service-policy  interface  configuration  command.  For  configuration  information,  see  the 
"Classifying,  Policing,  and  Marking  Traffic  on  Physical  Ports  by  Using  Policy  Maps"  section  on 
page  27-47,  the  "Classifying,  Policing,  and  Marking  Traffic  on  SVIs  by  Using  Hierarchical  Policy 
Maps"  section  on  page  27-50,  and  the  "Classifying,  Policing,  and  Marking  Traffic  by  Using  Aggregate 
Policers"  section  on  page  27-55. 
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Policing  on  Physical  Ports 

In  policy  maps  on  physical  ports,  you  can  create  these  types  of  policers: 

•  Individual — QoS  applies  the  bandwidth  limits  specified  in  the  policer  separately  to  each  matched 
traffic  class.  You  configure  this  type  of  policer  within  a  policy  map  by  using  the  police  policy-map 
class  configuration  command. 

•  Aggregate — QoS  applies  the  bandwidth  limits  specified  in  an  aggregate  policer  cumulatively  to  all 
matched  traffic  flows.  You  configure  this  type  of  policer  by  specifying  the  aggregate  policer  name 
within  a  policy  map  by  using  the  police  aggregate  policy-map  class  configuration  command.  You 
specify  the  bandwidth  limits  of  the  policer  by  using  the  mis  qos  aggregate-policer  global 
configuration  command.  In  this  way,  the  aggregate  policer  is  shared  by  multiple  classes  of  traffic 
within  a  policy  map. 

Policing  uses  a  token-bucket  algorithm.  As  each  frame  is  received  by  the  switch,  a  token  is  added  to  the 
bucket.  The  bucket  has  a  hole  in  it  and  leaks  at  a  rate  that  you  specify  as  the  average  traffic  rate  in  bits 
per  second.  Each  time  a  token  is  added  to  the  bucket,  the  switch  verifies  that  there  is  enough  room  in  the 
bucket.  If  there  is  not  enough  room,  the  packet  is  marked  as  nonconforming,  and  the  specified  policer 
action  is  taken  (dropped  or  marked  down). 

How  quickly  the  bucket  fills  is  a  function  of  the  bucket  depth  (burst-byte),  the  rate  at  which  the  tokens 
are  removed  (rate-bps),  and  the  duration  of  the  burst  above  the  average  rate.  The  size  of  the  bucket 
imposes  an  upper  limit  on  the  burst  length  and  limits  the  number  of  frames  that  can  be  transmitted 
back-to-back.  If  the  burst  is  short,  the  bucket  does  not  overflow,  and  no  action  is  taken  against  the  traffic 
flow.  However,  if  a  burst  is  long  and  at  a  higher  rate,  the  bucket  overflows,  and  the  policing  actions  are 
taken  against  the  frames  in  that  burst. 

You  configure  the  bucket  depth  (the  maximum  burst  that  is  tolerated  before  the  bucket  overflows)  by 
using  the  burst-byte  option  of  the  police  policy-map  class  configuration  command  or  the  mis  qos 
aggregate-policer  global  configuration  command.  You  configure  how  fast  (the  average  rate)  that  the 
tokens  are  removed  from  the  bucket  by  using  the  rate-bps  option  of  the  police  policy-map  class 
configuration  command  or  the  mis  qos  aggregate-policer  global  configuration  command. 

Figure  27-4  shows  the  policing  and  marking  process  when  these  types  of  policy  maps  are  configured: 

•  A  nonhierarchical  policy  map  on  a  physical  port. 

•  The  interface  level  of  a  hierarchical  policy  map  attached  to  an  SVI.  The  physical  ports  are  specified 
in  this  secondary  policy  map. 
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Figure  27-4        Policing  and  Marking  Flowchart  on  Physical  Ports 
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X   

Note      Before  configuring  a  hierarchical  policy  map  with  individual  policers  on  an  SVI,  you  must  enable 

VLAN-based  QoS  on  the  physical  ports  that  belong  to  the  SVI.  Though  a  policy  map  is  attached  to  the 
SVI,  the  individual  policers  only  affect  traffic  on  the  physical  ports  specified  in  the  secondary  interface 
level  of  the  hierarchical  policy  map. 


A  hierarchical  policy  map  has  two  levels.  The  first  level,  the  VLAN  level,  specifies  the  actions  to  be 
taken  against  a  traffic  flow  on  an  SVI.  The  second  level,  the  interface  level,  specifies  the  actions  to  be 
taken  against  the  traffic  on  the  physical  ports  that  belong  to  the  SVI  and  are  specified  in  the 
interface-level  policy  map. 
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When  configuring  policing  on  an  SVI,  you  can  create  and  configure  a  hierarchical  policy  map  with  these 
two  levels: 

•  VLAN  level — Create  this  primary  level  by  configuring  class  maps  and  classes  that  specify  the  port 
trust  state  or  set  a  new  DSCP  or  IP  precedence  value  in  the  packet.  The  VLAN-level  policy  map 
applies  only  to  the  VLAN  in  an  SVI  and  does  not  support  policers. 

•  Interface  level — Create  this  secondary  level  by  configuring  class  maps  and  classes  that  specify  the 
individual  policers  on  physical  ports  the  belong  to  the  SVI.  The  interface-level  policy  map  only 
supports  individual  policers  and  does  not  support  aggregate  policers.  Beginning  with  Cisco  IOS 
Release  12.2(25)SED,  you  can  configure  different  interface-level  policy  maps  for  each  class  defined 
in  the  VLAN-level  policy  map. 

See  the  "Classifying,  Policing,  and  Marking  Traffic  on  SVIs  by  Using  Hierarchical  Policy  Maps"  section 
on  page  27-50  for  an  example  of  a  hierarchical  policy  map. 

Figure  27-5  shows  the  policing  and  marking  process  when  hierarchical  policy  maps  on  an  SVI. 
Figure  27-5        Policing  and  Marking  Flowchart  on  SVIs 
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Mapping  Tables 

During  QoS  processing,  the  switch  represents  the  priority  of  all  traffic  (including  non-IP  traffic)  with  an 
QoS  label  based  on  the  DSCP  or  CoS  value  from  the  classification  stage: 

•  During  classification,  QoS  uses  configurable  mapping  tables  to  derive  a  corresponding  DSCP  or 
CoS  value  from  a  received  CoS,  DSCP,  or  IP  precedence  value.  These  maps  include  the 
CoS-to-DSCP  map  and  the  IP-precedence-to-DSCP  map.  You  configure  these  maps  by  using  the 
mis  qos  map  cos-dscp  and  the  mis  qos  map  ip-prec-dscp  global  configuration  commands. 

On  an  ingress  port  configured  in  the  DSCP-trusted  state,  if  the  DSCP  values  are  different  between 
the  QoS  domains,  you  can  apply  the  configurable  DSCP-to-DSCP-mutation  map  to  the  port  that  is 
on  the  boundary  between  the  two  QoS  domains.  You  configure  this  map  by  using  the  mis  qos  map 
dscp-mutation  global  configuration  command. 

•  During  policing,  QoS  can  assign  another  DSCP  value  to  an  IP  or  a  non-IP  packet  (if  the  packet  is 
out  of  profile  and  the  policer  specifies  a  marked-down  value).  This  configurable  map  is  called  the 
policed-DSCP  map.  You  configure  this  map  by  using  the  mis  qos  map  policed-dscp  global 
configuration  command. 

•  Before  the  traffic  reaches  the  scheduling  stage,  QoS  stores  the  packet  in  an  ingress  and  an  egress 
queue  according  to  the  QoS  label.  The  QoS  label  is  based  on  the  DSCP  or  the  CoS  value  in  the 
packet  and  selects  the  queue  through  the  DSCP  input  and  output  queue  threshold  maps  or  through 
the  CoS  input  and  output  queue  threshold  maps.  You  configure  these  maps  by  using  the  mis  qos 
srr-queue  {input  I  output}  dscp-map  and  the  mis  qos  srr-queue  {input  I  output}  cos-map  global 
configuration  commands. 

The  CoS-to-DSCP,  DSCP-to-CoS,  and  the  IP-precedence-to-DSCP  maps  have  default  values  that  might 
or  might  not  be  appropriate  for  your  network. 

The  default  DSCP-to-DSCP-mutation  map  and  the  default  policed-DSCP  map  are  null  maps;  they  map 
an  incoming  DSCP  value  to  the  same  DSCP  value.  The  DSCP-to-DSCP-mutation  map  is  the  only  map 
you  apply  to  a  specific  port.  All  other  maps  apply  to  the  entire  switch. 

For  configuration  information,  see  the  "Configuring  DSCP  Maps"  section  on  page  27-57. 

For  information  about  the  DSCP  and  CoS  input  queue  threshold  maps,  see  the  "Queueing  and 
Scheduling  on  Ingress  Queues"  section  on  page  27-15.  For  information  about  the  DSCP  and  CoS  output 
queue  threshold  maps,  see  the  "Queueing  and  Scheduling  on  Egress  Queues"  section  on  page  27-17. 


27-12 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  27     Configuring  QoS 


Understanding  QoS  B 


Queueing  and  Scheduling  Overview 


The  switch  has  queues  at  specific  points  to  help  prevent  congestion  as  shown  in  Figure  27-6. 


Figure  27-6        Ingress  and  Egress  Queue  Location 
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Because  the  total  inbound  bandwidth  of  all  ports  can  exceed  the  bandwidth  of  the  internal  ring,  ingress 
queues  are  located  after  the  packet  is  classified,  policed,  and  marked  and  before  packets  are  forwarded 
into  the  switch  fabric.  Because  multiple  ingress  ports  can  simultaneously  send  packets  to  an  egress  port 
and  cause  congestion,  outbound  queues  are  located  after  the  internal  ring. 


Weighted  Tail  Drop 

Both  the  ingress  and  egress  queues  use  an  enhanced  version  of  the  tail-drop  congestion-avoidance 
mechanism  called  weighted  tail  drop  (WTD).  WTD  is  implemented  on  queues  to  manage  the  queue 
lengths  and  to  provide  drop  precedences  for  different  traffic  classifications. 

As  a  frame  is  enqueued  to  a  particular  queue,  WTD  uses  the  frame's  assigned  QoS  label  to  subject  it  to 
different  thresholds.  If  the  threshold  is  exceeded  for  that  QoS  label  (the  space  available  in  the  destination 
queue  is  less  than  the  size  of  the  frame),  the  switch  drops  the  frame. 

Figure  27-7  shows  an  example  of  WTD  operating  on  a  queue  whose  size  is  1000  frames.  Three  drop 
percentages  are  configured:  40  percent  (400  frames),  60  percent  (600  frames),  and  100  percent  (1000 
frames).  These  percentages  mean  that  up  to  400  frames  can  be  queued  at  the  40-percent  threshold,  up  to 
600  frames  at  the  60-percent  threshold,  and  up  to  1000  frames  at  the  100-percent  threshold. 

In  this  example,  CoS  values  6  and  7  have  a  greater  importance  than  the  other  CoS  values,  and  they  are 
assigned  to  the  100-percent  drop  threshold  (queue-full  state).  CoS  values  4  and  5  are  assigned  to  the 
60-percent  threshold,  and  CoS  values  0  to  3  are  assigned  to  the  40-percent  threshold. 

Suppose  the  queue  is  already  filled  with  600  frames,  and  a  new  frame  arrives.  It  contains  CoS  values  4 
and  5  and  is  subjected  to  the  60-percent  threshold.  If  this  frame  is  added  to  the  queue,  the  threshold  will 
be  exceeded,  so  the  switch  drops  it. 
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Figure  27-7         WTD  and  Queue  Operation 
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For  more  information,  see  the  "Mapping  DSCP  or  CoS  Values  to  an  Ingress  Queue  and  Setting  WTD 
Thresholds"  section  on  page  27-64,  the  "Allocating  Buffer  Space  to  and  Setting  WTD  Thresholds  for  an 
Egress  Queue-Set"  section  on  page  27-68,  and  the  "Mapping  DSCP  or  CoS  Values  to  an  Egress  Queue 
and  to  a  Threshold  ID"  section  on  page  27-70. 


SRR  Shaping  and  Sharing 


Both  the  ingress  and  egress  queues  are  serviced  by  SRR,  which  controls  the  rate  at  which  packets  are 
sent.  On  the  ingress  queues,  SRR  sends  packets  to  the  internal  ring.  On  the  egress  queues,  SRR  sends 
packets  to  the  egress  port. 

You  can  configure  SRR  on  egress  queues  for  sharing  or  for  shaping.  However,  for  ingress  queues, 
sharing  is  the  default  mode,  and  it  is  the  only  mode  supported. 

In  shaped  mode,  the  egress  queues  are  guaranteed  a  percentage  of  the  bandwidth,  and  they  are 
rate-limited  to  that  amount.  Shaped  traffic  does  not  use  more  than  the  allocated  bandwidth  even  if  the 
link  is  idle.  Shaping  provides  a  more  even  flow  of  traffic  over  time  and  reduces  the  peaks  and  valleys  of 
bursty  traffic.  With  shaping,  the  absolute  value  of  each  weight  is  used  to  compute  the  bandwidth 
available  for  the  queues. 

In  shared  mode,  the  queues  share  the  bandwidth  among  them  according  to  the  configured  weights.  The 
bandwidth  is  guaranteed  at  this  level  but  not  limited  to  it.  For  example,  if  a  queue  is  empty  and  no  longer 
requires  a  share  of  the  link,  the  remaining  queues  can  expand  into  the  unused  bandwidth  and  share  it 
among  them.  With  sharing,  the  ratio  of  the  weights  controls  the  frequency  of  dequeuing;  the  absolute 
values  are  meaningless. 

For  more  information,  see  the  "Allocating  Bandwidth  Between  the  Ingress  Queues"  section  on 

page  27-65,  the  "Configuring  SRR  Shaped  Weights  on  Egress  Queues"  section  on  page  27-72,  and  the 

"Configuring  SRR  Shared  Weights  on  Egress  Queues"  section  on  page  27-73. 
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Queueing  and  Scheduling  on  Ingress  Queues 

Figure  27-8  shows  the  queueing  and  scheduling  flowchart  for  ingress  ports. 


Figure  27-8        Queueing  and  Scheduling  Flowchart  for  Ingress  Ports 
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Note      SRR  services  the  priority  queue  for  its  configured  share  before  servicing  the  other  queue. 

The  switch  supports  two  configurable  ingress  queues,  which  are  serviced  by  SRR  in  shared  mode  only. 
Table  27-1  describes  the  queues. 


Table  27-1 


Ingress  Queue  Types 


Queue  Type 


Function 


Normal 


User  traffic  that  is  considered  to  be  normal  priority.  You  can  configure  three  different 
thresholds  to  differentiate  among  the  flows.  You  can  use  the  mis  qos  srr-queue  input 
threshold,  the  mis  qos  srr-queue  input  dscp-map,  and  the  mis  qos  srr-queue  input 
cos-map  global  configuration  commands. 


Expedite 


High-priority  user  traffic  such  as  differentiated  services  (DF)  expedited  forwarding  or 
voice  traffic.  You  can  configure  the  bandwidth  required  for  this  traffic  as  a  percentage 
of  the  total  traffic  by  using  the  mis  qos  srr-queue  input  priority-queue  global 
configuration  command.  The  expedite  queue  has  guaranteed  bandwidth. 


1.    The  switch  uses  two  nonconfigurable  queues  for  traffic  that  is  essential  for  proper  network  operation. 
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You  assign  each  packet  that  flows  through  the  switch  to  a  queue  and  to  a  threshold.  Specifically,  you 
map  DSCP  or  CoS  values  to  an  ingress  queue  and  map  DSCP  or  CoS  values  to  a  threshold  ID.  You  use 
the  mis  qos  srr-queue  input  dscp-map  queue  queue-id  {dscpl...dscp8  I  threshold  threshold-id 
dscpl...dscp8}  or  the  mis  qos  srr-queue  input  cos-map  queue  queue-id  {cosl...cos8  I  threshold 
threshold-id  cosl  ...cos8)  global  configuration  command.  You  can  display  the  DSCP  input  queue 
threshold  map  and  the  CoS  input  queue  threshold  map  by  using  the  show  mis  qos  maps  privileged 
EXEC  command. 

WTD  Thresholds 

The  queues  use  WTD  to  support  distinct  drop  percentages  for  different  traffic  classes.  Each  queue  has 
three  drop  thresholds:  two  configurable  {explicit)  WTD  thresholds  and  one  nonconfigurable  {implicit) 
threshold  preset  to  the  queue-full  state.  You  assign  the  two  explicit  WTD  threshold  percentages  for 
threshold  ID  1  and  ID  2  to  the  ingress  queues  by  using  the  mis  qos  srr-queue  input  threshold  queue-id 
threshold-percentage  1  threshold-percentage!  global  configuration  command.  Each  threshold  value  is  a 
percentage  of  the  total  number  of  allocated  buffers  for  the  queue.  The  drop  threshold  for  threshold  ID  3 
is  preset  to  the  queue-full  state,  and  you  cannot  modify  it.  For  more  information  about  how  WTD  works, 
see  the  "Weighted  Tail  Drop"  section  on  page  27-13. 

Buffer  and  Bandwidth  Allocation 

You  define  the  ratio  (allocate  the  amount  of  space)  with  which  to  divide  the  ingress  buffers  between  the 
two  queues  by  using  the  mis  qos  srr-queue  input  buffers  percentagel  percentage!  global 
configuration  command.  The  buffer  allocation  together  with  the  bandwidth  allocation  control  how  much 
data  can  be  buffered  and  sent  before  packets  are  dropped.  You  allocate  bandwidth  as  a  percentage  by 
using  the  mis  qos  srr-queue  input  bandwidth  weightl  weight2  global  configuration  command.  The 
ratio  of  the  weights  is  the  ratio  of  the  frequency  in  which  the  SRR  scheduler  sends  packets  from  each 
queue. 

Priority  Queueing 

You  can  configure  one  ingress  queue  as  the  priority  queue  by  using  the  mis  qos  srr-queue  input 
priority-queue  queue-id  bandwidth  weight  global  configuration  command.  The  priority  queue  should 
be  used  for  traffic  (such  as  voice)  that  requires  guaranteed  delivery  because  this  queue  is  guaranteed  part 
of  the  bandwidth  regardless  of  the  load  on  the  internal  ring. 

SRR  services  the  priority  queue  for  its  configured  weight  as  specified  by  the  bandwidth  keyword  in  the 
mis  qos  srr-queue  input  priority-queue  queue-id  bandwidth  weight  global  configuration  command. 
Then,  SRR  shares  the  remaining  bandwidth  with  both  ingress  queues  and  services  them  as  specified  by 
the  weights  configured  with  the  mis  qos  srr-queue  input  bandwidth  weightl  weightl  global 
configuration  command. 

You  can  combine  the  commands  described  in  this  section  to  prioritize  traffic  by  placing  packets  with 
particular  DSCPs  or  CoSs  into  certain  queues,  by  allocating  a  large  queue  size  or  by  servicing  the  queue 
more  frequently,  and  by  adjusting  queue  thresholds  so  that  packets  with  lower  priorities  are  dropped.  For 
configuration  information,  see  the  "Configuring  Ingress  Queue  Characteristics"  section  on  page  27-63. 
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Queueing  and  Scheduling  on  Egress  Queues 

Figure  27-9  shows  the  queueing  and  scheduling  flowchart  for  egress  ports. 

V   

Note      If  the  expedite  queue  is  enabled,  SRR  services  it  until  it  is  empty  before  servicing  the  other  three  queues. 


Figure  27-9         Queueing  and  Scheduling  Flowchart  for  Egress  Ports 
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Each  port  supports  four  egress  queues,  one  of  which  (queue  1)  can  be  the  egress  expedite  queue.  These 
queues  are  assigned  to  a  queue-set.  All  traffic  exiting  the  switch  flows  through  one  of  these  four  queues 
and  is  subjected  to  a  threshold  based  on  the  QoS  label  assigned  to  the  packet. 
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Figure  27-10  shows  the  egress  queue  buffer.  The  buffer  space  is  divided  between  the  common  pool  and 
the  reserved  pool.  The  switch  uses  a  buffer  allocation  scheme  to  reserve  a  minimum  amount  of  buffers 
for  each  egress  queue,  to  prevent  any  queue  or  port  from  consuming  all  the  buffers  and  depriving  other 
queues,  and  to  control  whether  to  grant  buffer  space  to  a  requesting  queue.  The  switch  detects  whether 
the  target  queue  has  not  consumed  more  buffers  than  its  reserved  amount  (under-limit),  whether  it  has 
consumed  all  of  its  maximum  buffers  (over  limit),  and  whether  the  common  pool  is  empty  (no  free 
buffers)  or  not  empty  (free  buffers).  If  the  queue  is  not  over-limit,  the  switch  can  allocate  buffer  space 
from  the  reserved  pool  or  from  the  common  pool  (if  it  is  not  empty).  If  there  are  no  free  buffers  in  the 
common  pool  or  if  the  queue  is  over-limit,  the  switch  drops  the  frame. 


Figure  27- 10       Egress  Queue  Buffer  Allocation 
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Buffer  and  Memory  Allocation 

You  guarantee  the  availability  of  buffers,  set  drop  thresholds,  and  configure  the  maximum  memory 
allocation  for  a  queue-set  by  using  the  mis  qos  queue-set  output  qset-id  threshold  queue-id 
drop-thresholdl  drop-threshold2  reserved-threshold  maximum-threshold  global  configuration  command. 
Each  threshold  value  is  a  percentage  of  the  queue's  allocated  memory,  which  you  specify  by  using  the 
mis  qos  queue-set  output  qset-id  buffers  allocation!  ...  allocation4  global  configuration  command. 
The  sum  of  all  the  allocated  buffers  represents  the  reserved  pool,  and  the  remaining  buffers  are  part  of 
the  common  pool. 

Through  buffer  allocation,  you  can  ensure  that  high-priority  traffic  is  buffered.  For  example,  if  the  buffer 
space  is  400,  you  can  allocate  70  percent  of  it  to  queue  1  and  10  percent  to  queues  2  through  4.  Queue 
1  then  has  280  buffers  allocated  to  it,  and  queues  2  through  4  each  have  40  buffers  allocated  to  them. 

You  can  guarantee  that  the  allocated  buffers  are  reserved  for  a  specific  queue  in  a  queue-set.  For 
example,  if  there  are  100  buffers  for  a  queue,  you  can  reserve  50  percent  (50  buffers).  The  switch  returns 
the  remaining  50  buffers  to  the  common  pool.  You  also  can  enable  a  queue  in  the  full  condition  to  obtain 
more  buffers  than  are  reserved  for  it  by  setting  a  maximum  threshold.  The  switch  can  allocate  the  needed 
buffers  from  the  common  pool  if  the  common  pool  is  not  empty. 
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WTD  Thresholds 

You  can  assign  each  packet  that  flows  through  the  switch  to  a  queue  and  to  a  threshold.  Specifically,  you 
map  DSCP  or  CoS  values  to  an  egress  queue  and  map  DSCP  or  CoS  values  to  a  threshold  ID.  You  use 
the  mis  qos  srr-queue  output  dscp-map  queue  queue-id  {dscpl...dscp8  I  threshold  threshold-id 
dscpl...dscp8]  or  the  mis  qos  srr-queue  output  cos-map  queue  queue-id  {cosl...cos8  I  threshold 
threshold-id  cosl  ...cos8]  global  configuration  command.  You  can  display  the  DSCP  output  queue 
threshold  map  and  the  CoS  output  queue  threshold  map  by  using  the  show  mis  qos  maps  privileged 
EXEC  command. 

The  queues  use  WTD  to  support  distinct  drop  percentages  for  different  traffic  classes.  Each  queue  has 
three  drop  thresholds:  two  configurable  {explicit)  WTD  thresholds  and  one  nonconfigurable  {implicit) 
threshold  preset  to  the  queue-full  state.  You  assign  the  two  WTD  threshold  percentages  for  threshold 
ID  1  and  ID  2.  The  drop  threshold  for  threshold  ID  3  is  preset  to  the  queue-full  state,  and  you  cannot 
modify  it.  For  more  information  about  how  WTD  works,  see  the  "Weighted  Tail  Drop"  section  on 
page  27-13. 

Shaped  or  Shared  Mode 

SRR  services  each  queue-set  in  shared  or  shaped  mode.  You  map  a  port  to  a  queue-set  by  using  the 
queue-set  qset-id  interface  configuration  command.  You  assign  shared  or  shaped  weights  to  the  port  by 
using  the  srr-queue  bandwidth  share  weightl  weight!  weight3  weight4  or  the  srr-queue  bandwidth 
shape  weightl  weightl  weight3  weight4  interface  configuration  command.  For  an  explanation  of  the 
differences  between  shaping  and  sharing,  see  the  "SRR  Shaping  and  Sharing"  section  on  page  27-14. 

The  buffer  allocation  together  with  the  SRR  weight  ratios  control  how  much  data  can  be  buffered  and 
sent  before  packets  are  dropped.  The  weight  ratio  is  the  ratio  of  the  frequency  in  which  the  SRR 
scheduler  sends  packets  from  each  queue. 

All  four  queues  participate  in  the  SRR  unless  the  expedite  queue  is  enabled,  in  which  case  the  first 
bandwidth  weight  is  ignored  and  is  not  used  in  the  ratio  calculation.  The  expedite  queue  is  a  priority 
queue,  and  it  is  serviced  until  empty  before  the  other  queues  are  serviced.  You  enable  the  expedite  queue 
by  using  the  priority-queue  out  interface  configuration  command. 

You  can  combine  the  commands  described  in  this  section  to  prioritize  traffic  by  placing  packets  with 
particular  DSCPs  or  CoSs  into  certain  queues,  by  allocating  a  large  queue  size  or  by  servicing  the  queue 
more  frequently,  and  by  adjusting  queue  thresholds  so  that  packets  with  lower  priorities  are  dropped.  For 
configuration  information,  see  the  "Configuring  Egress  Queue  Characteristics"  section  on  page  27-67. 

X   

Note      The  egress  queue  default  settings  are  suitable  for  most  situations.  You  should  change  them  only  when 
you  have  a  thorough  understanding  of  the  egress  queues  and  if  these  settings  do  not  meet  your  QoS 
solution. 


Packet  Modification 

A  packet  is  classified,  policed,  and  queued  to  provide  QoS.  Packet  modifications  can  occur  during  this 
process: 

•    For  IP  and  non-IP  packets,  classification  involves  assigning  a  QoS  label  to  a  packet  based  on  the 
DSCP  or  CoS  of  the  received  packet.  However,  the  packet  is  not  modified  at  this  stage;  only  an 
indication  of  the  assigned  DSCP  or  CoS  value  is  carried  along.  The  reason  for  this  is  that  QoS 
classification  and  forwarding  lookups  occur  in  parallel,  and  it  is  possible  that  the  packet  is 
forwarded  with  its  original  DSCP  to  the  CPU  where  it  is  again  processed  through  software. 
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•  During  policing,  IP  and  non-IP  packets  can  have  another  DSCP  assigned  to  them  (if  they  are  out  of 
profile  and  the  policer  specifies  a  markdown  DSCP).  Once  again,  the  DSCP  in  the  packet  is  not 
modified,  but  an  indication  of  the  marked-down  value  is  carried  along.  For  IP  packets,  the  packet 
modification  occurs  at  a  later  stage;  for  non-IP  packets  the  DSCP  is  converted  to  CoS  and  used  for 
queueing  and  scheduling  decisions. 

•  Depending  on  the  QoS  label  assigned  to  a  frame  and  the  mutation  chosen,  the  DSCP  and  CoS  values 
of  the  frame  are  rewritten.  If  you  do  not  configure  the  mutation  map  and  if  you  configure  the  port 
to  trust  the  DSCP  of  the  incoming  frame,  the  DSCP  value  in  the  frame  is  not  changed,  but  the  CoS 
is  rewritten  according  to  the  DSCP-to-CoS  map.  If  you  configure  the  port  to  trust  the  CoS  of  the 
incoming  frame  and  it  is  an  IP  packet,  the  CoS  value  in  the  frame  is  not  changed,  but  the  DSCP 
might  be  changed  according  to  the  CoS-to-DSCP  map. 

The  input  mutation  causes  the  DSCP  to  be  rewritten  depending  on  the  new  value  of  DSCP  chosen. 
The  set  action  in  a  policy  map  also  causes  the  DSCP  to  be  rewritten. 

Configuring  Auto-QoS 

You  can  use  the  auto-QoS  feature  to  simplify  the  deployment  of  existing  QoS  features.  Auto-QoS  makes 
assumptions  about  the  network  design,  and  as  a  result,  the  switch  can  prioritize  different  traffic  flows 
and  appropriately  use  the  ingress  and  egress  queues  instead  of  using  the  default  QoS  behavior.  (The 
default  is  that  QoS  is  disabled.  The  switch  then  offers  best-effort  service  to  each  packet,  regardless  of 
the  packet  contents  or  size,  and  sends  it  from  a  single  queue.) 

When  you  enable  auto-QoS,  it  automatically  classifies  traffic  based  on  the  traffic  type  and  ingress  packet 
label.  The  switch  uses  the  resulting  classification  to  choose  the  appropriate  egress  queue. 

You  use  auto-QoS  commands  to  identify  ports  connected  to  Cisco  IP  Phones  and  to  devices  running  the 
Cisco  SoftPhone  application.  You  also  use  the  commands  to  identify  ports  that  receive  trusted  traffic 
through  an  uplink.  Auto-QoS  then  performs  these  functions: 

•  Detects  the  presence  or  absence  of  Cisco  IP  Phones 

•  Configures  QoS  classification 

•  Configures  egress  queues 

These  sections  contain  this  configuration  information: 

•  Generated  Auto-QoS  Configuration,  page  27-21 

•  Effects  of  Auto-QoS  on  the  Configuration,  page  27-25 

•  Auto-QoS  Configuration  Guidelines,  page  27-25 

•  Enabling  Auto-QoS  for  VoIP,  page  27-26 

•  Auto-QoS  Configuration  Example,  page  27-27 


27-20 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  27     Configuring  QoS 


Configuring  Auto-QoS  B 


Generated  Auto-QoS  Configuration 

By  default,  auto-QoS  is  disabled  on  all  ports. 

When  auto-QoS  is  enabled,  it  uses  the  ingress  packet  label  to  categorize  traffic,  to  assign  packet  labels, 
and  to  configure  the  ingress  and  egress  queues  as  shown  in  Table  27-2. 


Table  27-2  Traffic  Types,  Packet  Labels,  and  Queues 


VoIP1  Data 
Traffic 

VoIP  Control 
Traffic 

Routing  Protocol 
Traffic 

STP  BPDU 
Traffic 

Real-Time 
Video  Traffic 

All  Other  Traffic 

DSCP 

46 

24,  26 

48 

56 

34 

CoS 

5 

3 

6 

7 

4 

CoS-to-Ingress 
Queue  Map 

2,  3,  4,  5,  6,  7  (queue  2) 

0,  1  (queue  1) 

CoS-to-Egress 
Queue  Map 

5  (queue  1) 

3,  6,  7  (queue  2) 

4 (queue  3) 

2 (queue  3) 

0,  1 

(queue  4) 

1.    VoIP  =  voice  over  IP 


Table  27-3  shows  the  generated  auto-QoS  configuration  for  the  ingress  queues. 


Table  27-3        Auto-QoS  Configuration  for  the  Ingress  Queues 


Ingress  Queue 

Queue  Number 

CoS-to-Queue  Map 

Queue  Weight 
(Bandwidth) 

Queue  (Buffer) 
Size 

SRR  shared 

1 

0,  1 

81  percent 

67  percent 

Priority 

2 

2,  3,  4,  5,  6,  7 

19  percent 

33  percent 

Table  27-4  shows  the  generated  auto-QoS  configuration  for  the  egress  queues. 


Table  27-4         Auto-QoS  Configuration  for  the  Egress  Queues 


Egress  Queue 

Queue  Number 

CoS-to-Queue  Map 

Queue  Weight 
(Bandwidth) 

Queue  (Buffer)  Size 
for  Gigabit-Capable 
Ports 

Queue  (Buffer) 
Size  for  10/100 
Ethernet  Ports 

Priority  (shaped) 

1 

5 

10  percent 

16  percent 

10  percent 

SRR  shared 

2 

3,  6,  7 

10  percent 

6  percent 

10  percent 

SRR  shared 

3 

2,  4 

60  percent 

17  percent 

26  percent 

SRR  shared 

4 

0,  1 

20  percent 

61  percent 

54  percent 

When  you  enable  the  auto-QoS  feature  on  the  first  port,  these  automatic  actions  occur: 

•  QoS  is  globally  enabled  (mis  qos  global  configuration  command),  and  other  global  configuration 
commands  are  added. 

•  When  you  enter  the  auto  qos  voip  cisco-phone  interface  configuration  command  on  a  port  at  the 
edge  of  the  network  that  is  connected  to  a  Cisco  IP  Phone,  the  switch  enables  the  trusted  boundary 
feature.  The  switch  uses  the  Cisco  Discovery  Protocol  (CDP)  to  detect  the  presence  or  absence  of  a 
Cisco  IP  Phone.  When  a  Cisco  IP  Phone  is  detected,  the  ingress  classification  on  the  port  is  set  to 
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trust  the  QoS  label  received  in  the  packet.  When  a  Cisco  IP  Phone  is  absent,  the  ingress 
classification  is  set  to  not  trust  the  QoS  label  in  the  packet.  The  switch  configures  ingress  and  egress 
queues  on  the  port  according  to  the  settings  in  Table  27-3  and  Table  27-4. 

•  When  you  enter  the  auto  qos  voip  cisco-softphone  interface  configuration  command  on  a  port  at 
the  edge  of  the  network  that  is  connected  to  a  device  running  the  Cisco  SoftPhone,  the  switch  uses 
policing  to  determine  whether  a  packet  is  in  or  out  of  profile  and  to  specify  the  action  on  the  packet. 
If  the  packet  does  not  have  a  DSCP  value  of  24,  26,  or  46  or  is  out  of  profile,  the  switch  changes  the 
DSCP  value  to  0.  The  switch  configures  ingress  and  egress  queues  on  the  port  according  to  the 
settings  in  Table  27-3  and  Table  27-4. 

•  When  you  enter  the  auto  qos  voip  trust  interface  configuration  command  on  a  port  connected  to 
the  interior  of  the  network,  the  switch  trusts  the  CoS  value  for  nonrouted  ports  in  ingress  packets 
(the  assumption  is  that  traffic  has  already  been  classified  by  other  edge  devices).  The  switch 
configures  the  ingress  and  egress  queues  on  the  port  according  to  the  settings  in  Table  27-3  and 
Table  27-4. 

For  information  about  the  trusted  boundary  feature,  see  the  "Configuring  a  Trusted  Boundary  to 
Ensure  Port  Security"  section  on  page  27-37. 

When  you  enable  auto-QoS  by  using  the  auto  qos  voip  cisco-phone,  the  auto  qos  voip  cisco-softphone, 

or  the  auto  qos  voip  trust  interface  configuration  command,  the  switch  automatically  generates  a  QoS 
configuration  based  on  the  traffic  type  and  ingress  packet  label  and  applies  the  commands  listed  in 
Table  27-5  to  the  port. 


Table  27-5 


Generated  Auto-QoS  Configuration 


Description 


Automatically  Generated  Command 


The  switch  automatically  enables  standard  QoS  and  configures 
the  CoS-to-DSCP  map  (maps  CoS  values  in  incoming  packets 
to  a  DSCP  value). 


Switch(config) #  mis  qos 

Switch (config) #  mis  qos  map  cos-dscp  0  8  16  26  32  46 
48  56 


The  switch  automatically  maps  CoS  values  to  an  ingress  queue 
and  to  a  threshold  ID. 


Switch ( config) #  no  mis  qos  srr-queue  input  cos-map 
Switch (config) #  mis  qos  srr-queue  input  cos-map 
queue  1  threshold  3  0 

Switch ( config) #  mis  qos  srr-queue  input  cos-map 
queue  1  threshold  2  1 

Switch ( config) #  mis  qos  srr-queue  input  cos-map 
queue  2  threshold  1  2 

Switch ( config) #  mis  qos  srr-queue  input  cos-map 
queue  2  threshold  2  4  6  7 

Switch (config) #  mis  qos  srr-queue  input  cos-map 
queue  2  threshold  3  3  5 


The  switch  automatically  maps  CoS  values  to  an  egress  queue 
and  to  a  threshold  ID. 


Switch (config) #  no  mis  qos  srr-queue  output  cos-map 
Switch ( config) #  mis  qos  srr-queue  output  cos-map 
queue  1  threshold  3  5 

Switch ( config) #  mis  qos  srr-queue  output  cos-map 
queue  2  threshold  3  3  6  7 

Switch ( config) #  mis  qos  srr-queue  output  cos-map 
queue  3  threshold  3  2  4 

Switch ( config) #  mis  qos  srr-queue  output  cos-map 
queue  4  threshold  2  1 

Switch ( config) #  mis  qos  srr-queue  output  cos-map 
queue  4  threshold  3  0 
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Table  27-5 


Generated  Auto-QoS  Configuration  (continued) 


Description 

The  switch  automatically  maps  DSCP  values  to  an  ingress 
queue  and  to  a  threshold  ID. 


Automatically  Generated  Command 

Switch(config) #  no  mis  qos  srr-queue  input  dscp-map 

Switch ( config) #  mis  qos  srr-queue  input  dscp-map 

queue  1  threshold  2  9  10  11  12  13  14  15 

Switch ( config) #  mis  qos  srr-queue  input  dscp-map 

queue  1  threshold  301234567 

Switch (config) #  mis  qos  srr-queue  input  dscp-map 

queue  1  threshold  3  32 

Switch(config) #  mis  qos  srr-queue  input  dscp-map 
queue  2  threshold  1  16  17  18  19  20  21  22  23 
Switch(config) #  mis  qos  srr-queue  input  dscp-map 
queue  2  threshold  2  33  34  35  36  37  38  39  48 
Switch ( config) #  mis  qos  srr-queue  input  dscp-map 
queue  2  threshold  2  49  50  51  52  53  54  55  56 
Switch(conf ig) #  mis  qos  srr-queue  input  dscp-map 
queue  2  threshold  2  57  58  59   60   61  62  63 
Switch (config) #  mis  qos  srr-queue  input  dscp-map 
queue  2  threshold  3  24  25  26  27  28  29  30  31 
Switch(config) #  mis  qos  srr-queue  input  dscp-map 
queue  2  threshold  3  40  41  42  43  44  45  46  47 


The  switch  automatically  maps  DSCP  values  to  an  egress 
queue  and  to  a  threshold  ID. 


Switch(conf ig) #  no  mis  qos  srr-queue  output  dscp-map 
Switch (config) #  mis  qos  srr-queue  output  dscp-map 
queue  1  threshold  3  40  41  42  43  44  45  46  47 
Switch(config) #  mis  qos  srr-queue  output  dscp-map 
queue  2  threshold  3  24  25  26  27  28  29  30  31 
Switch ( config) #  mis  qos  srr-queue  output  dscp-map 
queue  2  threshold  3  48  49  50  51  52  53  54  55 
Switch (config) #  mis  qos  srr-queue  output  dscp-map 
queue  2  threshold  3  56  57  58  59  60  61  62  63 
Switch(config) #  mis  qos  srr-queue  output  dscp-map 
queue  3  threshold  3  16  17  18  19  20  21  22  23 
Switch (config) #  mis  qos  srr-queue  output  dscp-map 
queue  3  threshold  3  32  33  34  35  36  37  38  39 
Switch (config) #  mis  qos  srr-queue  output  dscp-map 
queue  4  threshold  1  8 

Switch (config) #  mis  qos  srr-queue  output  dscp-map 
queue  4  threshold  2  9  10  11  12  13  14  15 
Switch (config) #  mis  qos  srr-queue  output  dscp-map 
queue  4  threshold  301234567 


The  switch  automatically  sets  up  the  ingress  queues,  with 
queue  2  as  the  priority  queue  and  queue  1  in  shared  mode.  The 
switch  also  configures  the  bandwidth  and  buffer  size  for  the 
ingress  queues. 


Switch(conf ig) #  no  mis  qos  srr-queue  input 
priority-queue  1 

Switch(config) #  no  mis  qos  srr-queue  input 
priority-queue  2 

Switch(config) #  mis  qos  srr-queue  input  bandwidth  90 
10 

Switch (config) #  mis  qos  srr-queue  input  threshold  1 
8  16 

Switch (config) #  mis  qos  srr-queue  input  threshold  2 
34  66 

Switch(config) #  mis  qos  srr-queue  input  buffers  67 
33 
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Table  27-5  Generated  Auto-QoS  Configuration  (continued) 


Description 

Automatically  Generated  Command 

The  switch  automatically  configures  the  egress  queue  buffer 
sizes.  It  configures  the  bandwidth  and  the  SRR  mode  (shaped 
or  shared)  on  the  egress  queues  mapped  to  the  port. 

Switch(config) #  mis  qos  queue-set  output  1  threshold 

1  138  138  92  138 

Switch ( config) #  mis  qos  queue-set  output  1  threshold 

2  138  138  92  400 

Switch (config) #  mis  qos  queue-set  output  1  threshold 

3  36  77  100  318 

Switch(config) #  mis  qos  queue-set  output  1  threshold 

4  20  50  67  400 

Switch(conf ig) #  mis  qos  queue-set  output  2  threshold 

1  149  149  100  149 

Switch (config) #  mis  qos  queue-set  output  2  threshold 

2  118  118  100  235 

Switch(config) #  mis  qos  queue-set  output  2  threshold 

3  41  68  100  272 

Switch ( config) #  mis  qos  queue-set  output  2  threshold 

4  42  72  100  242 

Switch (config) #  mis  qos  queue-set  output  1  buffers 
10  10  26  54 

Switch(config) #  mis  qos  queue-set  output  2  buffers 
16  6   17  61 

Switch ( config-if ) #  srr-queue  bandwidth  shape  10  0  0 
0 

Switch (config-if ) #  srr-queue  bandwidth  share  10  10 
60  20 

If  you  entered  the  auto  qos  voip  trust  command,  the  switch 
automatically  sets  the  ingress  classification  to  trust  the  CoS 
value  received  in  the  packet  on  a  nonrouted  port  by  using  the 
mis  qos  trust  cos  command. 

Swi tch ( config- i f ) #  mis  qos  trust  cos 
Switch(conf ig-if ) #  mis  qos  trust  dscp 

If  you  entered  the  auto  qos  voip  cisco-phone  command,  the 
switch  automatically  enables  the  trusted  boundary  feature, 
which  uses  the  CDP  to  detect  the  presence  or  absence  of  a 
Cisco  IP  Phone. 

Switch(config-if ) #  mis  qos  trust  device  cisco-phone 

If  you  entered  the  auto  qos  voip  cisco-softphone  command, 
the  switch  automatically  creates  class  maps  and  policy  maps. 

Switch(config) #  mis  qos  map  policed-dscp  24  26  46  to 
0 

Switch(config) #  class-map  match-all 

AutoQoS-VoIP-RTP-Trust 

Switch ( config-cmap) #  match  ip  dscp  ef 

Switch (config) #  class-map  match-all 

AutoQoS -VoIP-Control -Trust 

Switch (config-cmap) #  match  ip  dscp  cs3  af31 

Switch(conf ig) #  policy-map  AutoQoS-Police-Sof tPhone 

Switch(config-pmap) #  class  AutoQoS-VoIP-RTP-Trust 

Switch ( conf ig-pmap-c ) #  set  dscp  ef 

Switch(config-pmap-c) #  police  320000  8000 

exceed-action  policed-dscp- transmit 

Swi tch { conf ig-pmap ) #  class 

AutoQoS -VoIP-Control -Trust 

Switch (conf ig-pmap-c ) #  set  dscp  cs3 

Switch (conf ig-pmap-c) #  police  32000  8000 

exceed-action  policed-dscp- transmit 

After  creating  the  class  maps  and  policy  maps,  the  switch 
automatically  applies  the  policy  map  called 
AutoQoS-Police-SoftPhone  to  an  ingress  interface  on  which 
auto-QoS  with  the  Cisco  SoftPhone  feature  is  enabled. 

Switch ( conf ig-if ) #  service-policy  input 
AutoQoS -Police-Sof tPhone 
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Effects  of  Auto-QoS  on  the  Configuration 

When  auto-QoS  is  enabled,  the  auto  qos  voip  interface  configuration  command  and  the  generated 
configuration  are  added  to  the  running  configuration. 

The  switch  applies  the  auto-QoS-generated  commands  as  if  the  commands  were  entered  from  the  CLI. 
An  existing  user  configuration  can  cause  the  application  of  the  generated  commands  to  fail  or  to  be 
overridden  by  the  generated  commands.  These  actions  occur  without  warning.  If  all  the  generated 
commands  are  successfully  applied,  any  user-entered  configuration  that  was  not  overridden  remains  in 
the  running  configuration.  Any  user-entered  configuration  that  was  overridden  can  be  retrieved  by 
reloading  the  switch  without  saving  the  current  configuration  to  memory.  If  the  generated  commands 
fail  to  be  applied,  the  previous  running  configuration  is  restored. 

Auto-QoS  Configuration  Guidelines 

Before  configuring  auto-QoS,  you  should  be  aware  of  this  information: 

•    Auto-QoS  configures  the  switch  for  VoIP  with  Cisco  IP  Phones  on  nonrouted  and  routed  ports. 
Auto-QoS  also  configures  the  switch  for  VoIP  with  devices  running  the  Cisco  SoftPhone 
application. 

X   

Note     When  a  device  running  Cisco  SoftPhone  is  connected  to  a  nonrouted  or  routed  port,  the 
switch  supports  only  one  Cisco  SoftPhone  application  per  port. 


•  To  take  advantage  of  the  auto-QoS  defaults,  you  should  enable  auto-QoS  before  you  configure  other 
QoS  commands.  If  necessary,  you  can  fine-tune  the  QoS  configuration,  but  we  recommend  that  you 
do  so  only  after  the  auto-QoS  configuration  is  completed.  For  more  information,  see  the  "Effects  of 
Auto-QoS  on  the  Configuration"  section  on  page  27-25. 

•  After  auto-QoS  is  enabled,  do  not  modify  a  policy  map  or  aggregate  policer  that  includes  AutoQoS 
in  its  name.  If  you  need  to  modify  the  policy  map  or  aggregate  policer,  make  a  copy  of  it,  and  change 
the  copied  policy  map  or  policer.  To  use  this  new  policy  map  instead  of  the  generated  one,  remove 
the  generated  policy  map  from  the  interface,  and  apply  the  new  policy  map  to  the  interface. 

•  You  can  enable  auto-QoS  on  static,  dynamic-access,  voice  VLAN  access,  and  trunk  ports. 

•  By  default,  the  CDP  is  enabled  on  all  ports.  For  auto-QoS  to  function  properly,  do  not  disable  the 
CDP 

•  When  enabling  auto-QoS  with  a  Cisco  IP  Phone  on  a  routed  port,  you  must  assign  a  static  IP  address 
to  the  IP  phone. 

•  This  release  supports  only  Cisco  IP  SoftPhone  Version  1.3(3)  or  later. 

•  Connected  devices  must  use  Cisco  Call  Manager  Version  4  or  later. 
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Enabling  Auto-QoS  for  VoIP 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  auto-QoS  for  VoIP  within  a  QoS 
domain: 


Step  1 
Step  2 


Step  3 


Step  4 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  that  is  connected  to  a  Cisco  IP  Phone,  the  port  that  is 
connected  to  a  device  running  the  Cisco  SoftPhone  feature,  or  the 
uplink  port  that  is  connected  to  another  trusted  switch  or  router  in  the 
interior  of  the  network,  and  enter  interface  configuration  mode. 

auto  qos  voip  {cisco-phone  I 
cisco-softphone  I  trust} 

Enable  auto-QoS. 

The  keywords  have  these  meanings: 

•  cisco-phone — If  the  port  is  connected  to  a  Cisco  IP  Phone,  the 
QoS  labels  of  incoming  packets  are  trusted  only  when  the 
telephone  is  detected. 

•  cisco-softphone — The  port  is  connected  to  device  running  the 
Cisco  SoftPhone  feature. 

•  trust — The  uplink  port  is  connected  to  a  trusted  switch  or  router, 
and  the  VoIP  traffic  classification  in  the  ingress  packet  is  trusted. 

end 

Return  to  privileged  EXEC  mode. 

show  auto  qos  interface  interface -id 

Verify  your  entries. 

This  command  displays  the  auto-QoS  command  on  the  interface  on 
which  auto-QoS  was  enabled.  You  can  use  the  show  running-config 
privileged  EXEC  command  to  display  the  auto-QoS  configuration 
and  the  user  modifications. 

To  display  the  QoS  commands  that  are  automatically  generated  when  auto-QoS  is  enabled  or  disabled, 
enter  the  debug  auto  qos  privileged  EXEC  command  before  enabling  auto-QoS.  For  more  information, 
see  the  debug  autoqos  command  in  the  command  reference  or  this  release. 

To  disable  auto-QoS  on  a  port,  use  the  no  auto  qos  voip  interface  configuration  command.  Only  the 
auto-QoS -generated  interface  configuration  commands  for  this  port  are  removed.  If  this  is  the  last  port 
on  which  auto-QoS  is  enabled  and  you  enter  the  no  auto  qos  voip  command,  auto-QoS  is  considered 
disabled  even  though  the  auto-QoS-generated  global  configuration  commands  remain  (to  avoid 
disrupting  traffic  on  other  ports  affected  by  the  global  configuration). 

You  can  use  the  no  mis  qos  global  configuration  command  to  disable  the  auto-QoS-generated  global 
configuration  commands.  With  QoS  disabled,  there  is  no  concept  of  trusted  or  untrusted  ports  because 
the  packets  are  not  modified  (the  CoS,  DSCP,  and  IP  precedence  values  in  the  packet  are  not  changed). 
Traffic  is  switched  in  pass-through  mode  (packets  are  switched  without  any  rewrites  and  classified  as 
best  effort  without  any  policing). 

This  example  shows  how  to  enable  auto-QoS  and  to  trust  the  QoS  labels  received  in  incoming  packets 
when  the  switch  or  router  connected  to  a  port  is  a  trusted  device: 

Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if) #  auto  qos  voip  trust 
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Auto-QoS  Configuration  Example 


This  section  describes  how  you  could  implement  auto-QoS  in  a  network,  as  shown  in  Figure  27-1 1.  For 
optimum  QoS  performance,  enable  auto-QoS  on  all  the  devices  in  the  network. 


Figure  27- 11       Auto-QoS  Configuration  Example  Network 

Cisco  router 


To  Internet 


Blade  Server 

Identify  this  interface 
as  connected  to  a 
trusted  switch  or  router 


Catalyst  2970 
switch 


Cisco  IP  phones 


Identify  these 
interfaces  as 
connected  to 
IP  phones 


Video  server 
172.20.10.16 


Catalyst  3560 
switch 


Identify  this  interface 
as  connected  to  a 
trusted  switch  or  router 


Identify  these 
interfaces  as 
connected  to 
IP  phones 


Cisco  IP  phones 


Figure  27-1 1  shows  a  network  in  which  the  VoIP  traffic  is  prioritized  over  all  other  traffic.  Auto-QoS  is 
enabled  on  the  switches  in  the  wiring  closets  at  the  edge  of  the  QoS  domain. 
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X   

Note      You  should  not  configure  any  standard  QoS  commands  before  entering  the  auto-QoS  commands.  You 
can  fine-tune  the  QoS  configuration,  but  we  recommend  that  you  do  so  only  after  the  auto-QoS 
configuration  is  completed. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  switch  at  the  edge  of  the  QoS 
domain  to  prioritize  the  VoIP  traffic  over  all  other  traffic: 


Step  7 


Command 

Purpose 

debug  auto  qos 

Enable  debugging  for  auto-QoS.  When  debugging  is  enabled,  the 
switch  displays  the  QoS  configuration  that  is  automatically 
generated  when  auto-QoS  is  enabled. 

configure  terminal 

Enter  global  configuration  mode. 

cdp  enable 

Enable  CDP  globally.  By  default,  it  is  enabled. 

interface  interface-id 

Specify  the  switch  port  connected  to  the  Cisco  IP  Phone,  and  enter 
interface  configuration  mode. 

auto  qos  voip  cisco-phone 

Enable  auto-QoS  on  the  port,  and  specify  that  the  port  is  connected 
to  a  Cisco  IP  Phone. 

The  QoS  labels  of  incoming  packets  are  trusted  only  when  the 
Cisco  IP  Phone  is  detected. 

exit 

Return  to  global  configuration  mode. 

Repeat  Steps  4  to  6  for  as  many  ports  as  are  connected  to  the  Cisco 
IP  Phone. 

iiiienace  imerjcice-ici 

opeciiy  Liie  swiicn  pon  lueiiLiiieu  as  conuccLcu  lo  a  irusLcu  swilcii 
or  router,  and  enter  interface  configuration  mode.  See 
Figure  27-1 1. 

auto  qos  voip  trust 

Enable  auto-QoS  on  the  port,  and  specify  that  the  port  is  connected 
to  a  trusted  router  or  switch. 

end 

Return  to  privileged  EXEC  mode. 

show  auto  qos 

Verify  your  entries. 

This  command  displays  the  auto-QoS  command  on  the  interface 
on  which  auto-QoS  was  enabled.  You  can  use  the  show 
running-config  privileged  EXEC  command  to  display  the 
auto-QoS  configuration  and  the  user  modifications. 

For  information  about  the  QoS  configuration  that  might  be 
affected  by  auto-QoS,  see  the  "Displaying  Auto-QoS 
Information"  section  on  page  26-12. 

copy  running-config 
startup-config 

Save  the  auto  qos  voip  interface  configuration  commands  and  the 
generated  auto-QoS  configuration  in  the  configuration  file. 
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Displaying  Auto-QoS  Information 

To  display  the  initial  auto-QoS  configuration,  use  the  show  auto  qos  [interface  [interface-id]] 
privileged  EXEC  command.  To  display  any  user  changes  to  that  configuration,  use  the  show 
running-config  privileged  EXEC  command.  You  can  compare  the  show  auto  qos  and  the  show 
running-config  command  output  to  identify  the  user-defined  QoS  settings. 

To  display  information  about  the  QoS  configuration  that  might  be  affected  by  auto-QoS,  use  one  of  these 
commands: 

•  show  mis  qos 

•  show  mis  qos  maps  cos-dscp 

•  show  mis  qos  interface  [interface-id]  [buffers  I  queueing] 

•  show  mis  qos  maps  [cos-dscp  I  cos-input-q  I  cos-output-q  I  dscp-cos  I  dscp-input-q  I 
dscp-output-q] 

•  show  mis  qos  input-queue 

•  show  running-config 

For  more  information  about  these  commands,  see  the  command  reference  for  this  release. 

Configuring  Standard  QoS 

Before  configuring  standard  QoS,  you  must  have  a  thorough  understanding  of  these  items: 

•  The  types  of  applications  used  and  the  traffic  patterns  on  your  network. 

•  Traffic  characteristics  and  needs  of  your  network.  Is  the  traffic  bursty?  Do  you  need  to  reserve 
bandwidth  for  voice  and  video  streams? 

•  Bandwidth  requirements  and  speed  of  the  network. 

•  Location  of  congestion  points  in  the  network. 
These  sections  contain  this  configuration  information: 

•  Default  Standard  QoS  Configuration,  page  27-30 

•  Standard  QoS  Configuration  Guidelines,  page  27-32 

•  Enabling  QoS  Globally,  page  27-34  (required) 

•  Enabling  VLAN-Based  QoS  on  Physical  Ports,  page  27-34  (optional) 

•  Configuring  Classification  Using  Port  Trust  States,  page  27-35  (required 

•  Configuring  a  QoS  Policy,  page  27-41  (required) 

•  Configuring  DSCP  Maps,  page  27-57  (optional,  unless  you  need  to  use  the 
DSCP-to-DSCP-mutation  map  or  the  policed-DSCP  map) 

•  Configuring  Ingress  Queue  Characteristics,  page  27-63  (optional) 

•  Configuring  Egress  Queue  Characteristics,  page  27-67  (optional) 
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Default  Standard  QoS  Configuration 

QoS  is  disabled.  There  is  no  concept  of  trusted  or  untrusted  ports  because  the  packets  are  not  modified 
(the  CoS,  DSCP,  and  IP  precedence  values  in  the  packet  are  not  changed).  Traffic  is  switched  in 
pass-through  mode  (packets  are  switched  without  any  rewrites  and  classified  as  best  effort  without  any 
policing). 

When  QoS  is  enabled  with  the  mis  qos  global  configuration  command  and  all  other  QoS  settings  are  at 
their  defaults,  traffic  is  classified  as  best  effort  (the  DSCP  and  CoS  value  is  set  to  0)  without  any 
policing.  No  policy  maps  are  configured.  The  default  port  trust  state  on  all  ports  is  untrusted.  The  default 
ingress  and  egress  queue  settings  are  described  in  the  "Default  Ingress  Queue  Configuration"  section  on 
page  27-30  and  the  "Default  Egress  Queue  Configuration"  section  on  page  27-31. 

Default  Ingress  Queue  Configuration 

Table  27-6  shows  the  default  ingress  queue  configuration  when  QoS  is  enabled. 


Table  27-6         Default  Ingress  Queue  Configuration 


Feature 

Queue  1 

Queue  2 

Buffer  allocation 

90  percent 

10  percent 

Bandwidth  allocation  1 

4 

4 

Priority  queue  bandwidth  2 

0 

10 

WTD  drop  threshold  1 

100  percent 

100  percent 

WTD  drop  threshold  2 

100  percent 

100  percent 

1.  The  bandwidth  is  equally  shared  between  the  queues.  SRR  sends  packets  in  shared  mode  only. 

2.  Queue  2  is  the  priority  queue.  SRR  services  the  priority  queue  for  its  configured  share  before  servicing  the  other  queue. 


Table  27-7  shows  the  default  CoS  input  queue  threshold  map  when  QoS  is  enabled. 
Table  27-7        Default  CoS  Input  Queue  Threshold  Map 


CoS  Value 

Queue  ID-Threshold  ID 

0-4 

1-1 

5 

2-1 

6,  7 

1-1 

Table  27-8  shows  the  default  DSCP  input  queue  threshold  map  when  QoS  is  enabled. 
Table  27-8        Default  DSCP  Input  Queue  Threshold  Map 


DSCP  Value 

Queue  ID-Threshold  ID 

0-39 

1-1 

40-17 

2-1 

48-63 

1-1 
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Default  Egress  Queue  Configuration 

Table  27-9  shows  the  default  egress  queue  configuration  for  each  queue-set  when  QoS  is  enabled.  All 
ports  are  mapped  to  queue-set  1.  The  port  bandwidth  limit  is  set  to  100  percent  and  rate  unlimited. 


Table  27-9         Default  Egress  Queue  Configuration 


Feature 

Queue  1 

Queue  2 

Queue  3 

Queue  4 

Buffer  allocation 

25  percent 

25  percent 

25  percent 

25  percent 

WTD  drop  threshold  1 

100  percent 

200  percent 

100  percent 

100  percent 

WTD  drop  threshold  2 

100  percent 

200  percent 

100  percent 

100  percent 

Reserved  threshold 

50  percent 

50  percent 

50  percent 

50  percent 

Maximum  threshold 

400  percent 

400  percent 

400  percent 

400  percent 

SRR  shaped  weights 
(absolute)  1 

25 

0 

0 

0 

SRR  shared  weights  2 

25 

25 

25 

25 

1,  A  shaped  weight  of  zero  means  that  this  queue  is  operating  in  shared  mode. 

2.  One  quarter  of  the  bandwidth  is  allocated  to  each  queue. 


Table  27-10  shows  the  default  CoS  output  queue  threshold  map  when  QoS  is  enabled. 
Table  27- 10       Default  CoS  Output  Queue  Threshold  Map 


CoS  Value 

Queue  ID-Threshold  ID 

0,  1 

2-1 

2,  3 

3-1 

4 

4-1 

5 

1-1 

6,7 

4-1 

Table  27-11  shows  the  default  DSCP  output  queue  threshold  map  when  QoS  is  enabled. 
Table  27- 11       Default  DSCP  Output  Queue  Threshold  Map 


DSCP  Value 

Queue  ID-Threshold  ID 

0-15 

2-1 

16-31 

3-1 

32-39 

4-1 

40-47 

1-1 

48-63 

4-1 
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Default  Mapping  Table  Configuration 

The  default  CoS-to-DSCP  map  is  shown  in  Table  27-12  on  page  27-58. 

The  default  IP-precedence-to-DSCP  map  is  shown  in  Table  27-13  on  page  27-59. 

The  default  DSCP-to-CoS  map  is  shown  in  Table  27-14  on  page  27-61. 

The  default  DSCP-to-DSCP-mutation  map  is  a  null  map,  which  maps  an  incoming  DSCP  value  to  the 
same  DSCP  value. 

The  default  policed-DSCP  map  is  a  null  map,  which  maps  an  incoming  DSCP  value  to  the  same  DSCP 
value  (no  markdown). 


Standard  QoS  Configuration  Guidelines 

Before  beginning  the  QoS  configuration,  you  should  be  aware  of  this  information  in  these  sections: 

•  "QoS  ACL  Guidelines"  section  on  page  27-32 

•  "Applying  QoS  on  Interfaces"  section  on  page  27-32 

•  "Policing  Guidelines"  section  on  page  27-33 

•  "General  QoS  Guidelines"  section  on  page  27-33 

QoS  ACL  Guidelines 

These  are  the  guidelines  for  configuring  QoS  with  access  control  lists  (ACLs): 

•  It  is  not  possible  to  match  IP  fragments  against  configured  IP  extended  ACLs  to  enforce  QoS.  IP 
fragments  are  sent  as  best-effort.  IP  fragments  are  denoted  by  fields  in  the  IP  header. 

•  Only  one  ACL  per  class  map  and  only  one  match  class-map  configuration  command  per  class  map 
are  supported.  The  ACL  can  have  multiple  ACEs,  which  match  fields  against  the  contents  of  the 
packet. 

•  A  trust  statement  in  a  policy  map  requires  multiple  TCAM  entries  per  ACL  line.  If  an  input  service 
policy  map  contains  a  trust  statement  in  an  ACL,  the  access-list  might  be  too  large  to  fit  into  the 
available  QoS  TCAM  and  an  error  can  occur  when  you  apply  the  policy  map  to  a  port.  Whenever 
possible,  you  should  minimize  the  number  of  lines  in  a  QoS  ACL. 


Applying  QoS  on  Interfaces 

These  are  the  guidelines  for  configuring  QoS  on  physical  ports: 

•  You  can  configure  QoS  on  physical  ports  and  SVIs.  When  configuring  QoS  on  physical  ports,  you 
create  and  apply  nonhierarchical  policy  maps.  When  configuring  QoS  on  SVIs,  you  can  create  and 
apply  nonhierarchical  and  hierarchical  policy  maps. 

•  Incoming  traffic  is  classified,  policed,  and  marked  down  (if  configured)  regardless  of  whether  the 
traffic  is  bridged,  routed,  or  sent  to  the  CPU.  It  is  possible  for  bridged  frames  to  be  dropped  or  to 
have  their  DSCP  and  CoS  values  modified. 
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•  Follow  these  guidelines  when  configuring  policy  maps  on  physical  ports  or  SVIs: 

-  You  cannot  apply  the  same  policy  map  to  a  physical  port  and  to  an  SVI. 

-  If  VLAN-based  QoS  is  configured  on  a  physical  port,  the  switch  removes  all  the  port-based 
policy  maps  on  the  port.  The  traffic  on  this  physical  port  is  now  affected  by  the  policy  map 
attached  to  the  SVI  to  which  the  physical  port  belongs. 

-  In  a  hierarchical  policy  map  attached  to  an  SVI,  you  can  only  configure  an  individual  policer  at 
the  interface  level  on  a  physical  port  to  specify  the  bandwidth  limits  for  the  traffic  on  the  port. 
The  ingress  port  must  be  configured  as  a  trunk  or  as  a  static-access  port.  You  cannot  configure 
policers  at  the  VLAN  level  of  the  hierarchical  policy  map. 

-  The  switch  does  not  support  aggregate  policers  in  hierarchical  policy  maps. 

-  After  the  hierarchical  policy  map  is  attached  to  an  SVI,  the  interface-level  policy  map  cannot 
be  modified  or  removed  from  the  hierarchical  policy  map.  A  new  interface-level  policy  map 
also  cannot  be  added  to  the  hierarchical  policy  map.  If  you  want  these  changes  to  occur,  the 
hierarchical  policy  map  must  first  be  removed  from  the  SVI.  You  also  cannot  add  or  remove  a 
class  map  specified  in  the  hierarchical  policy  map. 

Policing  Guidelines 

These  are  the  policing  guidelines: 

•  The  port  ASIC  device,  which  controls  more  than  one  physical  port,  supports  256  policers  (255 
user-configurable  policers  plus  1  policer  reserved  for  system  internal  use).  The  maximum  number 
of  user-configurable  policers  supported  per  port  is  63.  Policers  are  allocated  on  demand  by  the 
software  and  are  constrained  by  the  hardware  and  ASIC  boundaries.  You  cannot  reserve  policers  per 
port;  there  is  no  guarantee  that  a  port  will  be  assigned  to  any  policer. 

•  Only  one  policer  is  applied  to  a  packet  on  an  ingress  port.  Only  the  average  rate  and  committed  burst 
parameters  are  configurable. 

•  You  can  create  an  aggregate  policer  that  is  shared  by  multiple  traffic  classes  within  the  same 
nonhierarchical  policy  map.  However,  you  cannot  use  the  aggregate  policer  across  different  policy 
maps. 

•  On  a  port  configured  for  QoS,  all  traffic  received  through  the  port  is  classified,  policed,  and  marked 
according  to  the  policy  map  attached  to  the  port.  On  a  trunk  port  configured  for  QoS,  traffic  in  all 
VLANs  received  through  the  port  is  classified,  policed,  and  marked  according  to  the  policy  map 
attached  to  the  port. 

•  If  you  have  EtherChannel  ports  configured  on  your  switch,  you  must  configure  QoS  classification, 
policing,  mapping,  and  queueing  on  the  individual  physical  ports  that  comprise  the  EtherChannel. 
You  must  decide  whether  the  QoS  configuration  should  match  on  all  ports  in  the  EtherChannel. 

General  QoS  Guidelines 

These  are  general  QoS  guidelines: 

•  Control  traffic  (such  as  spanning-tree  bridge  protocol  data  units  [BPDUs]  and  routing  update 
packets)  received  by  the  switch  are  subject  to  all  ingress  QoS  processing. 

•  You  are  likely  to  lose  data  when  you  change  queue  settings;  therefore,  try  to  make  changes  when 
traffic  is  at  a  minimum. 
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Enabling  QoS  Globally 


By  default,  QoS  is  disabled  on  the  switch. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  QoS.  This  procedure  is  required. 


Step  1 
Step  2 


Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos 

Enable  QoS  globally. 

QoS  runs  with  the  default  settings  described  in  the  "Default 
Standard  QoS  Configuration"  section  on  page  27-30,  the 
"Queueing  and  Scheduling  on  Ingress  Queues"  section  on 
page  27-15,  and  the  "Queueing  and  Scheduling  on  Egress 
Queues"  section  on  page  27-17. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  QoS,  use  the  no  mis  qos  global  configuration  command. 


Enabling  VLAN-Based  QoS  on  Physical  Ports 

By  default,  VLAN-based  QoS  is  disabled  on  all  physical  switch  ports.  The  switch  applies  QoS,  including 
class  maps  and  policy  maps,  only  on  a  physical-port  basis.  You  can  enable  VLAN-based  QoS  on  a  switch 
port. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  VLAN-based  QoS.  This  procedure  is 
required  on  physical  ports  that  are  specified  in  the  interface  level  of  a  hierarchical  policy  map  on  an  SVI. 


Step  1 
Step  2 

Step  3 
Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  physical  port,  and  enter  interface  configuration 
mode. 

mis  qos  vlan-based 

Enable  VLAN-based  QoS  on  the  port. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  interface  interface-id 

Verify  if  VLAN-based  QoS  is  enabled  on  the  physical  port. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Use  the  no  mis  qos  vlan-based  interface  configuration  command  to  disable  VLAN-based  QoS  on  the 
physical  port. 
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Configuring  Classification  Using  Port  Trust  States 

These  sections  describe  how  to  classify  incoming  traffic  by  using  port  trust  states.  Depending  on  your 
network  configuration,  you  must  perform  one  or  more  of  these  tasks  or  one  or  more  of  the  tasks  in  the 
"Configuring  a  QoS  Policy"  section  on  page  27-41: 

•  Configuring  the  Trust  State  on  Ports  within  the  QoS  Domain,  page  27-35 

•  Configuring  the  CoS  Value  for  an  Interface,  page  27-37 

•  Configuring  a  Trusted  Boundary  to  Ensure  Port  Security,  page  27-37 

•  Enabling  DSCP  Transparency  Mode,  page  27-39 

•  Configuring  the  DSCP  Trust  State  on  a  Port  Bordering  Another  QoS  Domain,  page  27-39 

Configuring  the  Trust  State  on  Ports  within  the  QoS  Domain 

Packets  entering  a  QoS  domain  are  classified  at  the  edge  of  the  QoS  domain.  When  the  packets  are 
classified  at  the  edge,  the  switch  port  within  the  QoS  domain  can  be  configured  to  one  of  the  trusted 
states  because  there  is  no  need  to  classify  the  packets  at  every  switch  within  the  QoS  domain. 
Figure  27-12  shows  a  sample  network  topology. 


Figure  27-12       Port  Trusted  States  within  the  QoS  Domain 


Trusted  boundary 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  port  to  trust  the  classification 
of  the  traffic  that  it  receives: 


Command 


Purpose 


Step  1      configure  terminal 


Enter  global  configuration  mode. 


Step  2     interface  interface-id 


Step  3     mis  qos  trust  [cos  I  dscp  I  ip-precedence] 


Specify  the  port  to  be  trusted,  and  enter  interface  configuration 
mode. 

Valid  interfaces  include  physical  ports. 
Configure  the  port  trust  state. 

By  default,  the  port  is  not  trusted.  If  no  keyword  is  specified,  the 
default  is  dscp. 

The  keywords  have  these  meanings: 

•  cos — Classifies  an  ingress  packet  by  using  the  packet  CoS  value. 
For  an  untagged  packet,  the  port  default  CoS  value  is  used.  The 
default  port  CoS  value  is  0. 

•  dscp — Classifies  an  ingress  packet  by  using  the  packet  DSCP 
value.  For  a  non-IP  packet,  the  packet  CoS  value  is  used  if  the 
packet  is  tagged;  for  an  untagged  packet,  the  default  port  CoS  is 
used.  Internally,  the  switch  maps  the  CoS  value  to  a  DSCP  value 
by  using  the  CoS-to-DSCP  map. 

•  ip-precedence — Classifies  an  ingress  packet  by  using  the 
packet  IP-precedence  value.  For  a  non-IP  packet,  the  packet  CoS 
value  is  used  if  the  packet  is  tagged;  for  an  untagged  packet,  the 
default  port  CoS  is  used.  Internally,  the  switch  maps  the  CoS 
value  to  a  DSCP  value  by  using  the  CoS-to-DSCP  map. 


Step  4 
Step  5 


end 

show  mis  qos  interface 


Return  to  privileged  EXEC  mode. 
Verify  your  entries. 


Step  6     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


To  return  a  port  to  its  untrusted  state,  use  the  no  mis  qos  trust  interface  configuration  command. 

For  information  on  how  to  change  the  default  CoS  value,  see  the  "Configuring  the  CoS  Value  for  an 
Interface"  section  on  page  27-37.  For  information  on  how  to  configure  the  CoS-to-DSCP  map,  see  the 
"Configuring  the  CoS-to-DSCP  Map"  section  on  page  27-58. 
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Configuring  the  CoS  Value  for  an  Interface 

QoS  assigns  the  CoS  value  specified  with  the  mis  qos  cos  interface  configuration  command  to  untagged 
frames  received  on  trusted  and  untrusted  ports. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  define  the  default  CoS  value  of  a  port  or  to 
assign  the  default  CoS  to  all  incoming  packets  on  the  port: 


Command 


Purpose 


Step  1      configure  terminal 


Enter  global  configuration  mode. 


Step  2     interface  interface-id 


Specify  the  port  to  be  configured,  and  enter  interface  configuration  mode. 
Valid  interfaces  include  physical  ports. 


Step  3     mis  qos  cos  {default-cos  I  override) 


Step  4  end 

Step  5     show  mis  qos  interface 

Step  6     copy  running-config  startup-config 


Configure  the  default  CoS  value  for  the  port. 

•  For  default-cos,  specify  a  default  CoS  value  to  be  assigned  to  a  port.  If 
the  packet  is  untagged,  the  default  CoS  value  becomes  the  packet  CoS 
value.  The  CoS  range  is  0  to  7.  The  default  is  0. 

•  Use  the  override  keyword  to  override  the  previously  configured  trust 
state  of  the  incoming  packet  and  to  apply  the  default  port  CoS  value  to 
the  port  on  all  incoming  packets.  By  default,  CoS  override  is  disabled. 

Use  the  override  keyword  when  all  incoming  packets  on  specified 
ports  deserve  higher  or  lower  priority  than  packets  entering  from  other 
ports.  Even  if  a  port  was  previously  set  to  trust  DSCP,  CoS,  or  IP 
precedence,  this  command  overrides  the  previously  configured  trust 
state,  and  all  the  incoming  CoS  values  are  assigned  the  default  CoS 
value  configured  with  this  command.  If  an  incoming  packet  is  tagged, 
the  CoS  value  of  the  packet  is  modified  with  the  default  CoS  of  the  port 
at  the  ingress  port. 

Return  to  privileged  EXEC  mode. 


Verify  your  entries. 

(Optional)  Save  your  entries  in  the  configuration  file. 


To  return  to  the  default  setting,  use  the  no  mis  qos  cos  {default-cos  I  override)  interface  configuration 
command. 


Configuring  a  Trusted  Boundary  to  Ensure  Port  Security 

In  a  typical  network,  you  connect  a  Cisco  IP  Phone  to  a  switch  port,  as  shown  in  Figure  27-12  on 
page  27-35,  and  cascade  devices  that  generate  data  packets  from  the  back  of  the  telephone.  The  Cisco 
IP  Phone  guarantees  the  voice  quality  through  a  shared  data  link  by  marking  the  CoS  level  of  the  voice 
packets  as  high  priority  (CoS  =  5)  and  by  marking  the  data  packets  as  low  priority  (CoS  =  0).  Traffic 
sent  from  the  telephone  to  the  switch  is  typically  marked  with  a  tag  that  uses  the  802. 1Q  header.  The 
header  contains  the  VLAN  information  and  the  class  of  service  (CoS)  3-bit  field,  which  is  the  priority 
of  the  packet. 

For  most  Cisco  IP  Phone  configurations,  the  traffic  sent  from  the  telephone  to  the  switch  should  be 
trusted  to  ensure  that  voice  traffic  is  properly  prioritized  over  other  types  of  traffic  in  the  network.  By 
using  the  mis  qos  trust  cos  interface  configuration  command,  you  configure  the  switch  port  to  which 
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the  telephone  is  connected  to  trust  the  CoS  labels  of  all  traffic  received  on  that  port.  Use  the  mis  qos 
trust  dscp  interface  configuration  command  to  configure  a  routed  port  to  which  the  telephone  is 
connected  to  trust  the  DSCP  labels  of  all  traffic  received  on  that  port. 

With  the  trusted  setting,  you  also  can  use  the  trusted  boundary  feature  to  prevent  misuse  of  a 
high-priority  queue  if  a  user  bypasses  the  telephone  and  connects  the  PC  directly  to  the  switch.  Without 
trusted  boundary,  the  CoS  labels  generated  by  the  PC  are  trusted  by  the  switch  (because  of  the  trusted 
CoS  setting).  By  contrast,  trusted  boundary  uses  CDP  to  detect  the  presence  of  a  Cisco  IP  Phone  (such 
as  the  Cisco  IP  Phone  7910,  7935,  7940,  and  7960)  on  a  switch  port.  If  the  telephone  is  not  detected,  the 
trusted  boundary  feature  disables  the  trusted  setting  on  the  switch  port  and  prevents  misuse  of  a 
high-priority  queue.  Note  that  the  trusted  boundary  feature  is  not  effective  if  the  PC  and  Cisco  IP  Phone 
are  connected  to  a  hub  that  is  connected  to  the  switch. 

In  some  situations,  you  can  prevent  a  PC  connected  to  the  Cisco  IP  Phone  from  taking  advantage  of  a 
high-priority  data  queue.  You  can  use  the  switchport  priority  extend  cos  interface  configuration 
command  to  configure  the  telephone  through  the  switch  CLI  to  override  the  priority  of  the  traffic 
received  from  the  PC. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  trusted  boundary  on  a  port: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

cdp  run 

Enable  CDP  globally.  By  default,  CDP  is  enabled. 

interface  interface-id 

Specify  the  port  connected  to  the  Cisco  IP  Phone,  and  enter  interface 
configuration  mode. 

Valid  interfaces  include  physical  ports. 

cdp  enable 

Enable  CDP  on  the  port.  By  default,  CDP  is  enabled. 

mis  qos  trust  cos 

Configure  the  switch  port  to  trust  the  CoS  value  in  traffic  received  from  the 
Cisco  IP  Phone. 

or 

Configure  the  routed  port  to  trust  the  DSCP  value  in  traffic  received  from 
the  Cisco  IP  Phone. 

By  default,  the  port  is  not  trusted. 

mis  qos  trust  dscp 

mis  qos  trust  device  cisco-phone 

Specify  that  the  Cisco  IP  Phone  is  a  trusted  device. 

You  cannot  enable  both  trusted  boundary  and  auto-QoS  (auto  qos  voip 
interface  configuration  command)  at  the  same  time;  they  are  mutually 
exclusive. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  interface 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 
Step  3 


Step  4 
Step  5 


Step  6 


Step  7 
Step  8 
Step  9 


To  disable  the  trusted  boundary  feature,  use  the  no  mis  qos  trust  device  interface  configuration 
command. 
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Enabling  DSCP  Transparency  Mode 

The  switch  supports  the  DSCP  transparency  feature.  It  affects  only  the  DSCP  field  of  a  packet  at  egress. 
By  default,  DSCP  transparency  is  disabled.  The  switch  modifies  the  DSCP  field  in  an  incoming  packet, 
and  the  DSCP  field  in  the  outgoing  packet  is  based  on  the  quality  of  service  (QoS)  configuration, 
including  the  port  trust  setting,  policing  and  marking,  and  the  DSCP-to-DSCP  mutation  map. 

If  DSCP  transparency  is  enabled  by  using  the  no  mis  qos  rewrite  ip  dscp  command,  the  switch  does  not 
modify  the  DSCP  field  in  the  incoming  packet,  and  the  DSCP  field  in  the  outgoing  packet  is  the  same 
as  that  in  the  incoming  packet. 

Regardless  of  the  DSCP  transparency  configuration,  the  switch  modifies  the  internal  DSCP  value  of  the 
packet,  which  the  switch  uses  to  generate  a  class  of  service  (CoS)  value  that  represents  the  priority  of 
the  traffic.  The  switch  also  uses  the  internal  DSCP  value  to  select  an  egress  queue  and  threshold. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  DSCP  transparency  on  a  switch: 


Step  1 
Step  2 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos 

Enable  QoS  globally. 

no  mis  qos  rewrite  ip  dscp 

Enable  DSCP  transparency.  The  switch  is  configured  to  not  modify  the 
DSCP  field  of  the  IP  packet. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  interface  [interface-id] 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  configure  the  switch  to  modify  the  DSCP  value  based  on  the  trust  setting  or  on  an  ACL  by  disabling 
DSCP  transparency,  use  the  mis  qos  rewrite  ip  dscp  global  configuration  command. 

If  you  disable  QoS  by  using  the  no  mis  qos  global  configuration  command,  the  CoS  and  DSCP  values 
are  not  changed  (the  default  QoS  setting). 

If  you  enter  the  no  mis  qos  rewrite  ip  dscp  global  configuration  command  to  enable  DSCP  transparency 
and  then  enter  the  mis  qos  trust  [cos  I  dscp]  interface  configuration  command,  DSCP  transparency  is 
still  enabled. 


Configuring  the  DSCP  Trust  State  on  a  Port  Bordering  Another  QoS  Domain 

If  you  are  administering  two  separate  QoS  domains  between  which  you  want  to  implement  QoS  features 
for  IP  traffic,  you  can  configure  the  switch  ports  bordering  the  domains  to  a  DSCP-trusted  state  as  shown 
in  Figure  27-13.  Then  the  receiving  port  accepts  the  DSCP-trusted  value  and  avoids  the  classification 
stage  of  QoS.  If  the  two  domains  use  different  DSCP  values,  you  can  configure  the 
DSCP-to-DSCP-mutation  map  to  translate  a  set  of  DSCP  values  to  match  the  definition  in  the  other 
domain. 
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Figure  27- 13       DSCP-Trusted  State  on  a  Port  Bordering  Another  QoS  Domain 


QoS  Domain  1  QoS  Domain  2 


Set  interface  to  the  DSCP-trusted  state. 
Configure  the  DSCP-to-DSCP-mutation  map. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  DSCP-trusted  state  on  a  port 
and  modify  the  DSCP-to-DSCP-mutation  map.  To  ensure  a  consistent  mapping  strategy  across  both  QoS 
domains,  you  must  perform  this  procedure  on  the  ports  in  both  domains: 


Step  1 
Step  2 


Step  3 

Step  4 
Step  5 


Step  6 
Step  7 
Step  8 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

nils  qos  map  dscp -mutation 

dscp-mutation-name  in-dscp  to  out-dscp 

Modify  the  DSCP-to-DSCP-mutation  map. 

The  default  DSCP-to-DSCP-mutation  map  is  a  null  map,  which  maps 
an  incoming  DSCP  value  to  the  same  DSCP  value. 

•  For  dscp-mutation-name ,  enter  the  mutation  map  name.  You  can 
create  more  than  one  map  by  specifying  a  new  name. 

•  For  in-dscp,  enter  up  to  eight  DSCP  values  separated  by  spaces. 
Then  enter  the  to  keyword. 

•  For  out-dscp,  enter  a  single  DSCP  value. 
The  DSCP  range  is  0  to  63. 

interface  interface-id 

Specify  the  port  to  be  trusted,  and  enter  interface  configuration  mode. 
Valid  interfaces  include  physical  ports. 

mis  qos  trust  dscp 

Configure  the  ingress  port  as  a  DSCP-trusted  port.  By  default,  the  port 
is  not  trusted. 

mis  qos  dscp-mutation 

dscp-mutation-name 

Apply  the  map  to  the  specified  ingress  DSCP-trusted  port. 

For  dscp-mutation-name,  specify  the  mutation  map  name  created  in 
Step  2. 

You  can  configure  multiple  DSCP-to-DSCP-mutation  maps  on  an 
ingress  port. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  maps  dscp-mutation 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  return  a  port  to  its  non-trusted  state,  use  the  no  mis  qos  trust  interface  configuration  command.  To 
return  to  the  default  DSCP-to-DSCP-mutation  map  values,  use  the  no  mis  qos  map  dscp-mutation 

dscp-mutation-name  global  configuration  command. 

This  example  shows  how  to  configure  a  port  to  the  DSCP-trusted  state  and  to  modify  the 
DSCP-to-DSCP-mutation  map  (named  giO/2 -mutation)  so  that  incoming  DSCP  values  10  to  13  are 
mapped  to  DSCP  30: 

Switch (config) #  mis  qos  map  dscp-mutation  giO/2-mutation  10  11  12  13  to  30 
Switch (config) #  interface  gigabitethernetO/2 

Switch ( config-if ) #  mis  qos  trust  dscp 

Switch(conf ig-if ) #  mis  qos  dscp-mutation  giO/2 -mutation 

Switch ( config-if ) #  end 

Configuring  a  QoS  Policy 

Configuring  a  QoS  policy  typically  requires  classifying  traffic  into  classes,  configuring  policies  applied 
to  those  traffic  classes,  and  attaching  policies  to  ports. 

For  background  information,  see  the  "Classification"  section  on  page  27-5  and  the  "Policing  and 
Marking"  section  on  page  27-8.  For  configuration  guidelines,  see  the  "Standard  QoS  Configuration 
Guidelines"  section  on  page  27-32. 

These  sections  describe  how  to  classify,  police,  and  mark  traffic.  Depending  on  your  network 
configuration,  you  must  perform  one  or  more  of  these  tasks: 

•  Classifying  Traffic  by  Using  ACLs,  page  27-42 

•  Classifying  Traffic  by  Using  Class  Maps,  page  27-45 

•  Classifying,  Policing,  and  Marking  Traffic  on  Physical  Ports  by  Using  Policy  Maps,  page  27-47 

•  Classifying,  Policing,  and  Marking  Traffic  on  SVIs  by  Using  Hierarchical  Policy  Maps,  page  27-50 

•  Classifying,  Policing,  and  Marking  Traffic  by  Using  Aggregate  Policers,  page  27-55 
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Classifying  Traffic  by  Using  ACLs 

You  can  classify  IP  traffic  by  using  IP  standard  or  IP  extended  ACLs;  you  can  classify  non-IP  traffic  by 
using  Layer  2  MAC  ACLs. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  an  IP  standard  ACL  for  IP  traffic: 


Command 


Purpose 


Step  1      configure  terminal 


Enter  global  configuration  mode. 


Step  2     access-list  access-list-number  {deny 
permit}  source  [source-wildcard] 


Step  3  end 

Step  4     show  access-lists 

Step  5     copy  running-config  startup-config 


Create  an  IP  standard  ACL,  repeating  the  command  as  many  times  as 
necessary. 

•  For  access-list-number,  enter  the  access  list  number.  The  range  is 
1  to  99  and  1300  to  1999. 

•  Use  the  permit  keyword  to  permit  a  certain  type  of  traffic  if  the 
conditions  are  matched.  Use  the  deny  keyword  to  deny  a  certain 
type  of  traffic  if  conditions  are  matched. 

•  For  source,  enter  the  network  or  host  from  which  the  packet  is 
being  sent.  You  can  use  the  any  keyword  as  an  abbreviation  for 
0.0.0.0  255.255.255.255. 

•  (Optional)  For  source-wildcard,  enter  the  wildcard  bits  in  dotted 
decimal  notation  to  be  applied  to  the  source.  Place  ones  in  the  bit 
positions  that  you  want  to  ignore. 

Note     When  creating  an  access  list,  remember  that,  by  default,  the  end 
of  the  access  list  contains  an  implicit  deny  statement  for 
everything  if  it  did  not  find  a  match  before  reaching  the  end. 

Return  to  privileged  EXEC  mode. 


Verify  your  entries. 

(Optional)  Save  your  entries  in  the  configuration  file. 


To  delete  an  access  list,  use  the  no  access-list  access-list-number  global  configuration  command. 

This  example  shows  how  to  allow  access  for  only  those  hosts  on  the  three  specified  networks.  The 
wildcard  bits  apply  to  the  host  portions  of  the  network  addresses.  Any  host  with  a  source  address  that 
does  not  match  the  access  list  statements  is  rejected. 

Switch (config) #  access-list  1  permit  192.5.255.0  0.0.0.255 
Switch (config) #  access-list  1  permit  128.88.0.0  0.0.255.255 
Switch (config) #  access-list  1  permit  36.0.0.0  0.0.0.255 

!    (Note:   all  other  access  implicitly  denied) 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  an  IP  extended  ACL  for  IP  traffic: 


Command 


Purpose 


Step  1      configure  terminal 


Enter  global  configuration  mode. 


Step  2     access-list  access-list-number  {deny  I         Create  an  IP  extended  ACL,  repeating  the  command  as  many  times  as 
permit}  protocol  source  source-wildcard  necessary. 
destination  destination-wildcard 


•  For  access-list-number,  enter  the  access  list  number.  The  range  is 
100  to  199  and  2000  to  2699. 

•  Use  the  permit  keyword  to  permit  a  certain  type  of  traffic  if  the 
conditions  are  matched.  Use  the  deny  keyword  to  deny  a  certain 
type  of  traffic  if  conditions  are  matched. 

•  For  protocol,  enter  the  name  or  number  of  an  IP  protocol.  Use  the 
question  mark  (?)  to  see  a  list  of  available  protocol  keywords. 

•  For  source,  enter  the  network  or  host  from  which  the  packet  is 
being  sent.  You  specify  this  by  using  dotted  decimal  notation,  by 
using  the  any  keyword  as  an  abbreviation  for  source  0.0.0.0 
source-wildcard  255.255.255.255,  or  by  using  the  host  keyword 
for  source  0.0.0.0. 

•  For  source-wildcard,  enter  the  wildcard  bits  by  placing  ones  in  the 
bit  positions  that  you  want  to  ignore.  You  specify  the  wildcard  by 
using  dotted  decimal  notation,  by  using  the  any  keyword  as  an 
abbreviation  for  source  0.0.0.0  source-wildcard  255.255.255.255, 
or  by  using  the  host  keyword  for  source  0.0.0.0. 

•  For  destination,  enter  the  network  or  host  to  which  the  packet  is 
being  sent.  You  have  the  same  options  for  specifying  the 
destination  and  destination-wildcard  as  those  described  by  source 
and  source-wildcard. 

Note     When  creating  an  access  list,  remember  that,  by  default,  the  end 
of  the  access  list  contains  an  implicit  deny  statement  for 
everything  if  it  did  not  find  a  match  before  reaching  the  end. 


Step  3 
Step  4 


end 

show  access-lists 


Return  to  privileged  EXEC  mode. 
Verify  your  entries. 


Step  5     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


To  delete  an  access  list,  use  the  no  access-list  access-list-number  global  configuration  command. 

This  example  shows  how  to  create  an  ACL  that  permits  IP  traffic  from  any  source  to  any  destination  that 
has  the  DSCP  value  set  to  32: 

Switch (config) #  access-list  100  permit  ip  any  any  dscp  32 

This  example  shows  how  to  create  an  ACL  that  permits  IP  traffic  from  a  source  host  at  10.1.1.1  to  a 
destination  host  at  10.1.1.2  with  a  precedence  value  of  5: 

Switch (config) #  access-list  100  permit  ip  host  10.1.1.1  host  10.1.1.2  precedence  5 

This  example  shows  how  to  create  an  ACL  that  permits  PIM  traffic  from  any  source  to  a  destination 
group  address  of  224.0.0.2  with  a  DSCP  set  to  32: 

Switch (config) #  access-list  102  permit  pirn  any  224.0.0.2  dscp  32 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  a  Layer  2  MAC  ACL  for  non-IP  traffic: 


Command 


Purpose 


Step  1      configure  terminal 

Step  2     mac  access-list  extended  name 


Step  3      {permit  I  deny}  {host  src-MAC-addr  mask  I 
any  I  host  dst-MAC-addr  I  dst-MAC-addr 
mask]  [type  mask] 


Enter  global  configuration  mode. 


Create  a  Layer  2  MAC  ACL  by  specifying  the  name  of  the  list. 

After  entering  this  command,  the  mode  changes  to  extended  MAC 
ACL  configuration. 

Specify  the  type  of  traffic  to  permit  or  deny  if  the  conditions  are 
matched,  entering  the  command  as  many  times  as  necessary. 

•  For  src-MAC-addr,  enter  the  MAC  address  of  the  host  from 
which  the  packet  is  being  sent.  You  specify  this  by  using  the 
hexadecimal  format  (H.H.H),  by  using  the  any  keyword  as  an 
abbreviation  for  source  0.0.0,  source-wildcard  ffff.ffff.ffff,  or 
by  using  the  host  keyword  for  source  0.0.0. 

•  For  mask,  enter  the  wildcard  bits  by  placing  ones  in  the  bit 
positions  that  you  want  to  ignore. 

•  For  dst-MAC-addr,  enter  the  MAC  address  of  the  host  to  which 
the  packet  is  being  sent.  You  specify  this  by  using  the 
hexadecimal  format  (H.H.H),  by  using  the  any  keyword  as  an 
abbreviation  for  source  0.0.0,  source-wildcard  ffff.ffff.ffff,  or 
by  using  the  host  keyword  for  source  0.0.0. 

•  (Optional)  For  type  mask,  specify  the  Ethertype  number  of  a 
packet  with  Ethernet  II  or  SNAP  encapsulation  to  identify  the 
protocol  of  the  packet.  For  type,  the  range  is  from  0  to  65535, 
typically  specified  in  hexadecimal.  For  mask,  enter  the  don't 
care  bits  applied  to  the  Ethertype  before  testing  for  a  match. 

Note  When  creating  an  access  list,  remember  that,  by  default,  the 
end  of  the  access  list  contains  an  implicit  deny  statement  for 
everything  if  it  did  not  find  a  match  before  reaching  the  end. 


Step  4  end 

Step  5     show  access-lists  [access-list-number  I 
access-list-name] 

Step  6     copy  running-config  startup-config 


Return  to  privileged  EXEC  mode. 
Verify  your  entries. 


(Optional)  Save  your  entries  in  the  configuration  file. 


To  delete  an  access  list,  use  the  no  mac  access-list  extended  access-list-name  global  configuration 
command. 

This  example  shows  how  to  create  a  Layer  2  MAC  ACL  with  two  permit  statements.  The  first  statement 
allows  traffic  from  the  host  with  MAC  address  0001.0000.0001  to  the  host  with  MAC 
address  0002.0000.0001.  The  second  statement  allows  only  Ethertype  XNS-IDP  traffic  from  the  host 
with  MAC  address  0001.0000.0002  to  the  host  with  MAC  address  0002.0000.0002. 

Switch (config) #  mac  access-list  extended  maclistl 

Switch(config-ext-macl) #  permit  0001.0000.0001  0.0.0  0002.0000.0001  0.0.0 

Switch (conf ig-ext-macl ) #  permit  0001.0000.0002  0.0.0  0002.0000.0002  0.0.0  xns-idp 

!    (Note:   all  other  access  implicitly  denied) 


27-44 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  27     Configuring  QoS 


Configuring  Standard  QoS B 


Classifying  Traffic  by  Using  Class  Maps 

You  use  the  class-map  global  configuration  command  to  name  and  to  isolate  a  specific  traffic  flow  (or 
class)  from  all  other  traffic.  The  class  map  defines  the  criteria  to  use  to  match  against  a  specific  traffic 
flow  to  further  classify  it.  Match  statements  can  include  criteria  such  as  an  ACL,  IP  precedence  values, 
or  DSCP  values.  The  match  criterion  is  defined  with  one  match  statement  entered  within  the  class-map 
configuration  mode. 

V   

Note      You  can  also  create  class-maps  during  policy  map  creation  by  using  the  class  policy-map  configuration 
command.  For  more  information,  see  the  "Classifying,  Policing,  and  Marking  Traffic  on  Physical  Ports 
by  Using  Policy  Maps"  section  on  page  27-47  and  the  "Classifying,  Policing,  and  Marking  Traffic  on 
SVIs  by  Using  Hierarchical  Policy  Maps"  section  on  page  27-50. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  a  class  map  and  to  define  the  match 
criterion  to  classify  traffic: 


Command 


Purpose 


Step  1 
Step  2 


configure  terminal 


Enter  global  configuration  mode. 


Step  3 


access-list  access-list-number  {deny  I 
permit}  source  [source -wildcard] 


or 


deny 


access-list  access-list-number 
permit}  protocol  source 
[source-wildcard]  destination 
[destination-wildcard] 

or 

mac  access-list  extended  name 

{ permit  I  deny }  { host  src-MAC-addr  mask 
I  any  I  host  dst-MAC-addr  I  dst-MAC-addr 
mask]  [type  mask] 

class-map  [match-all  I  match-any] 

class-map-name 


Create  an  IP  standard  or  extended  ACL  for  IP  traffic  or  a  Layer  2  MAC 
ACL  for  non-IP  traffic,  repeating  the  command  as  many  times  as 
necessary. 

For  more  information,  see  the  "Classifying  Traffic  by  Using  ACLs" 
section  on  page  27-42. 

Note     When  creating  an  access  list,  remember  that,  by  default,  the 
end  of  the  access  list  contains  an  implicit  deny  statement  for 
everything  if  it  did  not  find  a  match  before  reaching  the  end. 


Create  a  class  map,  and  enter  class-map  configuration  mode. 
By  default,  no  class  maps  are  defined. 

•  (Optional)  Use  the  match-all  keyword  to  perform  a  logical-AND 
of  all  matching  statements  under  this  class  map.  All  match  criteria 
in  the  class  map  must  be  matched. 

•  (Optional)  Use  the  match-any  keyword  to  perform  a  logical-OR 
of  all  matching  statements  under  this  class  map.  One  or  more 
match  criteria  must  be  matched. 

•  For  class-map-name,  specify  the  name  of  the  class  map. 

If  neither  the  match-all  or  match-any  keyword  is  specified,  the 
default  is  match-all. 

Note     Because  only  one  match  command  per  class  map  is  supported, 
the  match-all  and  match-any  keywords  function  the  same. 
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Command 


Purpose 


Step  4     match  {access-group  acl-index-or-name  I 
ip  dscp  dscp-list  I  ip  precedence 

ip-precedence-list] 


Define  the  match  criterion  to  classify  traffic. 


By  default,  no  match  criterion  is  defined. 


Only  one  match  criterion  per  class  map  is  supported,  and  only  one  ACL 


per  class  map  is  supported. 


•    For  access-group  acl-index-or-name,  specify  the  number  or  name 
of  the  ACL  created  in  Step  2. 


•  For  ip  dscp  dscp-list,  enter  a  list  of  up  to  eight  IP  DSCP  values  to 
match  against  incoming  packets.  Separate  each  value  with  a  space. 
The  range  is  0  to  63. 


•    For  ip  precedence  ip-precedence-list,  enter  a  list  of  up  to  eight 
IP-precedence  values  to  match  against  incoming  packets.  Separate 
each  value  with  a  space.  The  range  is  0  to  7. 


Step  5  end 


Return  to  privileged  EXEC  mode. 


Step  6     show  class-map 


Verify  your  entries. 


Step  7     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


To  delete  an  existing  policy  map,  use  the  no  policy-map  policy-map-name  global  configuration 
command.  To  delete  an  existing  class  map,  use  the  no  class-map  [match-all  I  match-any] 
class-map-name  global  configuration  command.  To  remove  a  match  criterion,  use  the  no  match 
{access-group  acl-index-or-name  I  ip  dscp  I  ip  precedence}  class-map  configuration  command. 

This  example  shows  how  to  configure  the  class  map  called  classl.  The  classl  has  one  match  criterion, 
which  is  access  list  103.  It  permits  traffic  from  any  host  to  any  destination  that  matches  a  DSCP  value 


Switch (config) #  access-list  103  permit  any  any  dscp  10 

Switch (config) #  class-map  classl 

Switch (conf ig-cmap) #  match  access-group  103 

Switch (conf ig-cmap) #  end 
Switch* 

This  example  shows  how  to  create  a  class  map  called  class2,  which  matches  incoming  traffic  with  DSCP 
values  of  10,  11,  and  12. 

Switch (conf ig) #  class-map  class2 

Switch (conf ig-cmap) #  match  ip  dscp  10  11  12 

Switch (conf ig-cmap) #  end 
Switch* 

This  example  shows  how  to  create  a  class  map  called  class3,  which  matches  incoming  traffic  with 
IP-precedence  values  of  5,  6,  and  7: 

Switch (conf ig) #  class-map  class3 

Switch (conf ig-cmap) #  match  ip  precedence  5  6  7 

Switch (conf ig-cmap) #  end 
Switch* 


of  10. 
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Classifying,  Policing,  and  Marking  Traffic  on  Physical  Ports  by  Using  Policy  Maps 

You  can  configure  a  nonhierarchical  policy  map  on  a  physical  port  that  specifies  which  traffic  class  to 
act  on.  Actions  can  include  trusting  the  CoS,  DSCP,  or  IP  precedence  values  in  the  traffic  class;  setting 
a  specific  DSCP  or  IP  precedence  value  in  the  traffic  class;  and  specifying  the  traffic  bandwidth 
limitations  for  each  matched  traffic  class  (policer)  and  the  action  to  take  when  the  traffic  is  out  of  profile 
(marking). 

A  policy  map  also  has  these  characteristics: 

•  A  policy  map  can  contain  multiple  class  statements,  each  with  different  match  criteria  and  policers. 

•  A  separate  policy-map  class  can  exist  for  each  type  of  traffic  received  through  a  port. 

•  A  policy-map  trust  state  and  a  port  trust  state  are  mutually  exclusive,  and  whichever  is  configured 
last  takes  affect. 

Follow  these  guidelines  when  configuring  policy  maps  on  physical  ports: 

•  You  can  attach  only  one  policy  map  per  ingress  port. 

•  If  you  configure  the  IP-precedence-to-DSCP  map  by  using  the  mis  qos  map  ip-prec-dscp 

dscpl...dscp8  global  configuration  command,  the  settings  only  affect  packets  on  ingress  interfaces 
that  are  configured  to  trust  the  IP  precedence  value.  In  a  policy  map,  if  you  set  the  packet  IP 
precedence  value  to  a  new  value  by  using  the  set  ip  precedence  new-precedence  policy-map  class 
configuration  command,  the  egress  DSCP  value  is  not  affected  by  the  IP-precedence-to-DSCP  map. 
If  you  want  the  egress  DSCP  value  to  be  different  than  the  ingress  value,  use  the  set  dscp  new-dscp 
policy-map  class  configuration  command. 

•  If  you  enter  or  have  used  the  set  ip  dscp  command,  the  switch  changes  this  command  to  set  dscp  in 
its  configuration. 

•  In  Cisco  IOS  Release  12.2(25)SED  or  later,  yYou  can  use  the  set  ip  precedence  or  the  set 
precedence  policy-map  class  configuration  command  to  change  the  packet  IP  precedence  value. 
This  setting  appears  as  set  ip  precedence  in  the  switch  configuration. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  a  nonhierarchical  policy  map: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

class-map  [match-all  1  match-any] 

class-map-name 

Create  a  class  map,  and  enter  class-map  configuration  mode. 
By  default,  no  class  maps  are  defined. 

•  (Optional)  Use  the  match-all  keyword  to  perform  a  logical-AND 
of  all  matching  statements  under  this  class  map.  All  match  criteria 
in  the  class  map  must  be  matched. 

•  (Optional)  Use  the  match-any  keyword  to  perform  a  logical-OR  of 
all  matching  statements  under  this  class  map.  One  or  more  match 
criteria  must  be  matched. 

•  For  class -map -name,  specify  the  name  of  the  class  map. 

If  neither  the  match-all  or  match-any  keyword  is  specified,  the  default 
is  match-all. 

Note     Because  only  one  match  command  per  class  map  is  supported, 
the  match-all  and  match-any  keywords  function  the  same. 
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Command 


Purpose 


Step  3     policy-map  policy-map-name 


Create  a  policy  map  by  entering  the  policy  map  name,  and  enter 
policy-map  configuration  mode. 

By  default,  no  policy  maps  are  defined. 

The  default  behavior  of  a  policy  map  is  to  set  the  DSCP  to  0  if  the 
packet  is  an  IP  packet  and  to  set  the  CoS  to  0  if  the  packet  is  tagged. 
No  policing  is  performed. 


Step  4     class  class-map-name 


Step  5     trust  [cos  I  dscp  I  ip-precedence] 


Define  a  traffic  classification,  and  enter  policy-map  class  configuration 
mode. 

By  default,  no  policy  map  class-maps  are  defined. 

If  a  traffic  class  has  already  been  defined  by  using  the  class-map  global 
configuration  command,  specify  its  name  for  class-map-name  in  this 
command. 

Configure  the  trust  state,  which  QoS  uses  to  generate  a  CoS-based  or 
DSCP-based  QoS  label. 

Note     This  command  is  mutually  exclusive  with  the  set  command 
within  the  same  policy  map.  If  you  enter  the  trust  command, 
go  to  Step  6. 

By  default,  the  port  is  not  trusted.  If  no  keyword  is  specified  when  the 
command  is  entered,  the  default  is  dscp. 

The  keywords  have  these  meanings: 

•  cos — QoS  derives  the  DSCP  value  by  using  the  received  or  default 
port  CoS  value  and  the  CoS-to-DSCP  map. 

•  dscp — QoS  derives  the  DSCP  value  by  using  the  DSCP  value  from 
the  ingress  packet.  For  non-IP  packets  that  are  tagged,  QoS  derives 
the  DSCP  value  by  using  the  received  CoS  value;  for  non-IP 
packets  that  are  untagged,  QoS  derives  the  DSCP  value  by  using 
the  default  port  CoS  value.  In  either  case,  the  DSCP  value  is 
derived  from  the  CoS-to-DSCP  map. 

•  ip-precedence — QoS  derives  the  DSCP  value  by  using  the  IP 
precedence  value  from  the  ingress  packet  and  the 
IP-precedence-to-DSCP  map.  For  non-IP  packets  that  are  tagged, 
QoS  derives  the  DSCP  value  by  using  the  received  CoS  value;  for 
non-IP  packets  that  are  untagged,  QoS  derives  the  DSCP  value  by 
using  the  default  port  CoS  value.  In  either  case,  the  DSCP  value  is 
derived  from  the  CoS-to-DSCP  map. 

For  more  information,  see  the  "Configuring  the  CoS-to-DSCP  Map" 
section  on  page  27-58. 


Step  6 


set  {dscp  new-dscp  I  ip  precedence 

new-precedence } 


Classify  IP  traffic  by  setting  a  new  value  in  the  packet. 

•  For  dscp  new-dscp,  enter  a  new  DSCP  value  to  be  assigned  to  the 
classified  traffic.  The  range  is  0  to  63. 

•  For  ip  precedence  new-precedence,  enter  a  new  IP-precedence 
value  to  be  assigned  to  the  classified  traffic.  The  range  is  0  to  7. 


27-48 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Chapter  27     Configuring  QoS 


Configuring  Standard  QoS B 


Step  7 


Step  8 
Step  9 
Step  10 


Step  11 

Step  12 
Step  13 

Step  14 


Command 

Purpose 

police  rate-bps  burst-byte  [exceed-action 
{drop  1  policed-dscp-transmitj] 

Define  a  policer  for  the  classified  traffic. 

By  default,  no  policer  is  defined.  For  information  on  the  number  of 
policers  supported,  see  the  "Standard  QoS  Configuration  Guidelines" 
section  on  page  27-32. 

•  For  rate-bps,  specify  average  traffic  rate  in  bits  per  second  (b/s). 
The  range  is  8000  to  1000000000. 

•  For  burst-byte,  specify  the  normal  burst  size  in  bytes.  The  range  is 
8000  to  1000000. 

•  (Optional)  Specify  the  action  to  take  when  the  rates  are  exceeded. 
Use  the  exceed-action  drop  keywords  to  drop  the  packet.  Use  the 
exceed-action  policed-dscp-transmit  keywords  to  mark  down  the 
DSCP  value  (by  using  the  policed-DSCP  map)  and  to  send  the 
packet.  For  more  information,  see  the  "Configuring  the 
Policed-DSCP  Map"  section  on  page  27-60. 

exit 

Return  to  policy  map  configuration  mode. 

exit 

Return  to  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  attach  to  the  policy  map,  and  enter  interface 
configuration  mode. 

Valid  interfaces  include  physical  ports. 

service-policy  input  policy-map-name 

Specify  the  policy-map  name,  and  apply  it  to  an  ingress  port. 
Only  one  policy  map  per  ingress  port  is  supported. 

end 

Return  to  privileged  EXEC  mode. 

show  policy-map  [policy-map-name  [class 
class-map-name]] 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  delete  an  existing  policy  map,  use  the  no  policy-map  policy-map-name  global  configuration 
command.  To  delete  an  existing  class  map,  use  the  no  class  class-map-name  policy-map  configuration 
command.  To  return  to  the  untrusted  state,  use  the  no  trust  policy-map  configuration  command.  To 
remove  an  assigned  DSCP  or  IP  precedence  value,  use  the  no  set  {dscp  new-dscp  I  ip  precedence 
new-precedence]  policy-map  configuration  command.  To  remove  an  existing  policer,  use  the  no  police 
rate-bps  burst-byte  [exceed-action  [drop  I  policed-dscp-transmit}]  policy-map  configuration 
command.  To  remove  the  policy  map  and  port  association,  use  the  no  service-policy  input 
policy-map-name  interface  configuration  command. 

This  example  shows  how  to  create  a  policy  map  and  attach  it  to  an  ingress  port.  In  the  configuration,  the 
IP  standard  ACL  permits  traffic  from  network  10.1.0.0.  For  traffic  matching  this  classification,  the 
DSCP  value  in  the  incoming  packet  is  trusted.  If  the  matched  traffic  exceeds  an  average  traffic  rate 
of  48000  b/s  and  a  normal  burst  size  of  8000  bytes,  its  DSCP  is  marked  down  (based  on  the 
policed-DSCP  map)  and  sent: 

Switch(config) #  access-list  1  permit  10.1.0.0  0.0.255.255 
Switch ( config) #  class-map  ipclassl 
Switch (conf ig-cmap) #  match  access-group  1 

Switch (conf ig-cmap) #  exit 
Switch (conf ig) #  policy-map  flowlt 
Switch (conf ig-pmap) #  class  ipclassl 
Switch ( conf ig-pmap-c ) #  trust  dscp 
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Switch (conf ig-pmap-c) #  police  1000000  8000  exceed-action  policed-dscp-transmit 

Switch (conf ig-pmap-c) #  exit 
Switch (conf ig-pmap) #  exit 

Switch (conf ig) #  interface  gigabitethernetO/l 
Switch (conf ig-if) #  service-policy  input  flowlt 

This  example  shows  how  to  create  a  Layer  2  MAC  ACL  with  two  permit  statements  and  attach  it  to  an 
ingress  port.  The  first  permit  statement  allows  traffic  from  the  host  with  MAC  address  0001.0000.0001 
destined  for  the  host  with  MAC  address  0002.0000.0001.  The  second  permit  statement  allows  only 
Ethertype  XNS-IDP  traffic  from  the  host  with  MAC  address  0001.0000.0002  destined  for  the  host  with 
MAC  address  0002.0000.0002. 

Switch (conf ig) #  mac  access-list  extended  maclistl 

Switch (conf ig-ext-mac) #  permit  0001.0000.0001  0.0.0  0002.0000.0001  0.0.0 

Switch ( conf ig-ext-mac) #  permit  0001.0000.0002  0.0.0  0002.0000.0002  0.0.0  xns-idp 

Switch (conf ig-ext-mac) #  exit 

Switch (conf ig) #  mac  access-list  extended  maclist2 

Switch (conf ig-ext-mac) #  permit  0001.0000.0003  0.0.0  0002.0000.0003  0.0.0 
Switch (conf ig-ext-mac) #  permit  0001.0000.0004  0.0.0  0002.0000.0004  0.0.0  aarp 

Switch ( conf ig-ext-mac ) #  exit 

Switch (conf ig) #  class-map  macclassl 

Switch (conf ig-cmap) #  match  access-group  maclistl 

Switch (conf ig-cmap) #  exit 

Switch (conf ig) #  policy-map  macpolicyl 

Switch (conf ig-pmap) #  class  macclassl 

Switch (conf ig-pmap-c) #  set  dscp  63 

Switch (conf ig-pmap-c) #  exit 

Switch (conf ig-pmap) #  class  macclass2  maclist2 

Switch ( conf ig-pmap-c ) #  set  dscp  45 

Switch ( conf ig-pmap-c ) #  exit 
Switch (conf ig-pmap) #  exit 

Switch (conf ig) #  interface  gigabitethernetO/l 

Switch (conf ig-if ) #  mis  qos  trust  cos 

Switch (conf ig-if ) #  service-policy  input  macpolicyl 


Classifying,  Policing,  and  Marking  Traffic  on  SVIs  by  Using  Hierarchical  Policy  Maps 

You  can  configure  hierarchical  policy  maps  on  SVIs,  but  not  on  other  types  of  interfaces.  Hierarchical 
policing  combines  the  VLAN-  and  interface-level  policy  maps  to  create  a  single  policy  map. 

On  an  SVI,  the  VLAN-level  policy  map  specifies  which  traffic  class  to  act  on.  Actions  can  include 
trusting  the  CoS,  DSCP,  or  IP  precedence  values  or  setting  a  specific  DSCP  or  IP  precedence  value  in 
the  traffic  class.  Use  the  interface-level  policy  map  to  specify  the  physical  ports  that  are  affected  by 
individual  policers. 

Follow  these  guidelines  when  configuring  hierarchical  policy  maps: 

•  Before  configuring  a  hierarchical  policy  map,  you  must  enable  VLAN-based  QoS  on  the  physical 
ports  that  are  to  be  specified  at  the  interface  level  of  the  policy  map. 

•  You  can  attach  only  one  policy  map  per  ingress  port  or  SVI. 

•  A  policy  map  can  contain  multiple  class  statements,  each  with  different  match  criteria  and  actions. 

•  A  separate  policy-map  class  can  exist  for  each  type  of  traffic  received  on  the  SVI. 

•  A  policy-map  trust  state  and  a  port  trust  state  are  mutually  exclusive,  and  whichever  is  configured 
last  takes  affect. 

•  If  you  configure  the  IP-precedence-to-DSCP  map  by  using  the  mis  qos  map  ip-prec-dscp 

dscpl...dscp8  global  configuration  command,  the  settings  only  affect  packets  on  ingress  interfaces 
that  are  configured  to  trust  the  IP  precedence  value.  In  a  policy  map,  if  you  set  the  packet  IP 
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precedence  value  to  a  new  value  by  using  the  set  ip  precedence  new-precedence  policy-map  class 
configuration  command,  the  egress  DSCP  value  is  not  affected  by  the  IP-precedence-to-DSCP  map. 
If  you  want  the  egress  DSCP  value  to  be  different  than  the  ingress  value,  use  the  set  dscp  new-dscp 
policy-map  class  configuration  command. 

•  If  you  enter  or  have  used  the  set  ip  dscp  command,  the  switch  changes  this  command  to  set  dscp  in 
its  configuration.  If  you  enter  the  set  ip  dscp  command,  this  setting  appears  as  set  dscp  in  the  switch 
configuration. 

•  You  can  use  the  set  ip  precedence  or  the  set  precedence  policy-map  class  configuration  command 
to  change  the  packet  IP  precedence  value.  This  setting  appears  as  set  ip  precedence  in  the  switch 
configuration. 

•  If  VLAN-based  QoS  is  enabled,  the  hierarchical  policy  map  supersedes  the  previously  configured 
port-based  policy  map. 

•  The  hierarchical  policy  map  is  attached  to  the  SVI  and  affects  all  traffic  belonging  to  the  VLAN. 
The  actions  specified  in  the  VLAN-level  policy  map  affect  the  traffic  belonging  to  the  SVI.  The 
police  action  on  the  port-level  policy  map  affects  the  ingress  traffic  on  the  affected  physical 
interfaces. 

•  When  configuring  a  hierarchical  policy  map  on  trunk  ports,  the  VLAN  ranges  must  not  overlap.  If 
the  ranges  overlap,  the  actions  specified  in  the  policy  map  affect  the  incoming  and  outgoing  traffic 
on  the  overlapped  VLANs. 

•  Aggregate  policers  are  not  supported  in  hierarchical  policy  maps. 

•  When  VLAN-based  QoS  is  enabled,  the  switch  supports  VLAN-based  features,  such  as  the  VLAN 
map. 

•  You  can  configure  a  hierarchical  policy  map  only  on  the  primary  VLAN  of  a  private  VLAN. 
Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  a  hierarchical  policy  map: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

class-map  [match-all  1  match-any] 

class-map-name 

Create  a  VLAN-level  class  map,  and  enter  class-map  configuration 
mode.  For  information  about  creating  a  class  map,  see  the  "Classifying 
Traffic  by  Using  Class  Maps"  section  on  page  27-45. 

By  default,  no  class  maps  are  defined. 

•  (Optional)  Use  the  match-all  keyword  to  perform  a  logical-AND 
of  all  matching  statements  under  this  class  map.  All  match  criteria 
in  the  class  map  must  be  matched. 

•  (Optional)  Use  the  match-any  keyword  to  perform  a  logical-OR  of 
all  matching  statements  under  this  class  map.  One  or  more  match 
criteria  must  be  matched. 

•  For  class-map-name,  specify  the  name  of  the  class  map. 

If  neither  the  match-all  or  match-any  keyword  is  specified,  the  default 
is  match-all. 

Note     Because  only  one  match  command  per  class  map  is  supported, 
the  match-all  and  match-any  keywords  function  the  same. 
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Step  3 


Step  4 
Step  5 
Step  6 


Step  7 


Step  8 
Step  9 
Step  10 


Command 

Purpose 

match  {access-group  acl-index-or-name  I 
ip  dscp  dscp-list  I  ip  precedence 

ip-precedence-list] 

Define  the  match  criterion  to  classify  traffic. 
By  default,  no  match  criterion  is  defined. 

Only  one  match  criterion  per  class  map  is  supported,  and  only  one  ACL 
per  class  map  is  supported. 

•  For  access-group  acl-index-or-name,  specify  the  number  or  name 
of  the  ACL. 

•  For  ip  dscp  dscp-list,  enter  a  list  of  up  to  eight  IP  DSCP  values  to 
match  against  incoming  packets.  Separate  each  value  with  a  space. 
The  range  is  0  to  63. 

•  For  ip  precedence  ip-precedence-list,  enter  a  list  of  up  to  eight 
IP-precedence  values  to  match  against  incoming  packets.  Separate 
each  value  with  a  space.  The  range  is  0  to  7. 

exit 

Return  to  class-map  configuration  mode. 

exit 

Return  to  global  configuration  mode. 

class-map  [match-all  I  match-any] 

class-map-name 

Create  an  interface-level  class  map,  and  enter  class-map  configuration 
mode. 

By  default,  no  class  maps  are  defined. 

•  (Optional)  Use  the  match-all  keyword  to  perform  a  logical-AND 
of  all  matching  statements  under  this  class  map.  All  match  criteria 
in  the  class  map  must  be  matched. 

•  (Optional)  Use  the  match-any  keyword  to  perform  a  logical-OR  of 
all  matching  statements  under  this  class  map.  One  or  more  match 
criteria  must  be  matched. 

•  For  class-map-name,  specify  the  name  of  the  class  map. 

If  neither  the  match-all  or  match-any  keyword  is  specified,  the  default 
is  match-all. 

Note     Because  only  one  match  command  per  class  map  is  supported, 
the  match-all  and  match-any  keywords  function  the  same. 

match  input-interface  interface-id-list 

Specify  the  physical  ports  on  which  the  interface-level  class  map  acts. 
You  can  specify  up  to  six  ports  as  follows: 

•  A  single  port  (counts  as  one  entry) 

•  A  list  of  ports  separated  by  a  space  (each  port  counts  as  an  entry) 

•  A  range  of  ports  separated  by  a  hyphen  (counts  as  two  entries) 

This  command  can  only  be  used  in  the  child-level  policy  map  and  must 
be  the  only  match  condition  in  the  child-level  policy  map. 

exit 

Return  to  class-map  configuration  mode. 

exit 

Return  to  global  configuration  mode. 

policy-map  policy-map-name 

Create  an  interface-level  policy  map  by  entering  the  policy-map  name, 
and  enter  policy-map  configuration  mode. 

By  default,  no  policy  maps  are  defined,  and  no  policing  is  performed. 
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Step  11 


Step  12 


Command 

Purpose 

class-map  class -map -name 

Define  an  interface-level  traffic  classification,  and  enter  policy-map 
configuration  mode. 

By  default,  no  policy-map  class-maps  are  defined. 

If  a  traffic  class  has  already  been  defined  by  using  the  class-map  global 
configuration  command,  specify  its  name  for  class-map-name  in  this 
command. 

police  rate-bps  burst-byte  [exceed-action 
{drop  1  policed-dscp-transmitj] 

Define  an  individual  policer  for  the  classified  traffic. 

By  default,  no  policer  is  defined.  For  information  on  the  number  of 
policers  supported,  see  the  "Standard  QoS  Configuration  Guidelines" 
section  on  page  27-32. 

•  For  rate-bps,  specify  average  traffic  rate  in  bits  per  second  (bps). 
The  range  is  8000  to  1000000000. 

•  For  burst-byte,  specify  the  normal  burst  size  in  bytes.  The  range  is 
8000  to  1000000. 

•  (Optional)  Specify  the  action  to  take  when  the  rates  are  exceeded. 
Use  the  exceed-action  drop  keywords  to  drop  the  packet.  Use  the 

1                  A.  *                              1*                11                       A                                    *  A.    1                                       I          ,                              11  ,1 

exceed-action  pohced-dscp-transmit  keywords  to  mark  down  the 
DSCP  value  (by  using  the  policed-DSCP  map)  and  to  send  the 
packet.  For  more  information,  see  the  "Configuring  the 
Policed-DSCP  Map"  section  on  page  27-60. 

exit 

Return  to  policy-map  configuration  mode. 

exit 

Return  to  global  configuration  mode. 

policy-map  policy-map-name 

Create  a  VLAN-level  policy  map  by  entering  the  policy-map  name,  and 
enter  policy-map  configuration  mode. 

By  default,  no  policy  maps  are  defined. 

The  default  behavior  of  a  policy  map  is  to  set  the  DSCP  to  0  if  the 
packet  is  an  IP  packet  and  to  set  the  CoS  to  0  if  the  packet  is  tagged.  No 
policing  is  performed. 

class  class-map-name 

Define  a  VLAN-level  traffic  classification,  and  enter  policy-map  class 
configuration  mode. 

By  default,  no  policy-map  class-maps  are  defined. 

If  a  traffic  class  has  already  been  defined  by  using  the  class-map  global 
configuration  command,  specify  its  name  for  class-map-name  in  this 
command. 
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Command 


Purpose 


Step  17    trust  [cos  I  dscp  I  ip-precedence] 


Step  18    set  {dscp  new-dscp  I  ip  precedence 

new-precedence } 


Configure  the  trust  state,  which  QoS  uses  to  generate  a  CoS-based  or 
DSCP-based  QoS  label. 

Note     This  command  is  mutually  exclusive  with  the  set  command 
within  the  same  policy  map.  If  you  enter  the  trust  command, 
omit  Step  18. 

By  default,  the  port  is  not  trusted.  If  no  keyword  is  specified  when  the 
command  is  entered,  the  default  is  dscp. 

The  keywords  have  these  meanings: 

•  cos — QoS  derives  the  DSCP  value  by  using  the  received  or  default 
port  CoS  value  and  the  CoS-to-DSCP  map. 

•  dscp — QoS  derives  the  DSCP  value  by  using  the  DSCP  value  from 
the  ingress  packet.  For  non-IP  packets  that  are  tagged,  QoS  derives 
the  DSCP  value  by  using  the  received  CoS  value;  for  non-IP 
packets  that  are  untagged,  QoS  derives  the  DSCP  value  by  using 
the  default  port  CoS  value.  In  either  case,  the  DSCP  value  is 
derived  from  the  CoS-to-DSCP  map. 

•  ip-precedence — QoS  derives  the  DSCP  value  by  using  the  IP 
precedence  value  from  the  ingress  packet  and  the 
IP-precedence-to-DSCP  map.  For  non-IP  packets  that  are  tagged, 
QoS  derives  the  DSCP  value  by  using  the  received  CoS  value;  for 
non-IP  packets  that  are  untagged,  QoS  derives  the  DSCP  value  by 
using  the  default  port  CoS  value.  In  either  case,  the  DSCP  value  is 
derived  from  the  CoS-to-DSCP  map. 

For  more  information,  see  the  "Configuring  the  CoS-to-DSCP  Map" 
section  on  page  27-58. 

Classify  IP  traffic  by  setting  a  new  value  in  the  packet. 

•  For  dscp  new-dscp,  enter  a  new  DSCP  value  to  be  assigned  to  the 
classified  traffic.  The  range  is  0  to  63. 

•  For  ip  precedence  new-precedence,  enter  a  new  IP-precedence 
value  to  be  assigned  to  the  classified  traffic.  The  range  is  0  to  7. 


Step  19    service-policy  policy-map-name 


Step  20 
Step  21 


exit 


Specify  the  interface-level  policy-map  name  (from  Step  10)  and 
associate  it  with  the  VLAN-level  policy  map. 

If  the  VLAN-level  policy  map  specifies  more  than  one  class,  each  class 
can  have  a  different  service-policy  policy-map-name  command. 

Return  to  policy-map  configuration  mode. 


exit 


Step  22    interface  interface-id 


Return  to  global  configuration  mode. 

Specify  the  SVI  to  which  to  attach  the  hierarchical  policy  map,  and 
enter  interface  configuration  mode. 
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Step  23 


Step  24 
Step  25 


Step  26 


Command 

Purpose 

service-policy  input  policy-map-name 

Specify  the  VLAN-level  policy-map  name,  and  apply  it  to  the  SVI. 
Repeat  the  previous  step  and  this  command  to  apply  the  policy  map  to 
other  SVls. 

If  the  hierarchical  VLAN-level  policy  map  has  more  than  one 
interface-level  policy  map,  all  class  maps  must  be  configured  to  the 
same  VLAN-level  policy  map  specified  in  the  service-policy 
policy-map-name  command. 

end 

Return  to  privileged  EXEC  mode. 

show  policy-map  [policy-map-name  [class 
class-map-name]] 

or 

show  mis  qos  vlan-based 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  delete  an  existing  policy  map,  use  the  no  policy-map  policy-map-name  global  configuration 
command.  To  delete  an  existing  class  map,  use  the  no  class  class-map-name  policy-map  configuration 
command. 

To  return  to  the  untrusted  state  in  a  policy  map,  use  the  no  trust  policy-map  configuration  command. 
To  remove  an  assigned  DSCP  or  IP  precedence  value,  use  the  no  set  {dscp  new-dscp  I  ip  precedence 

new-precedence]  policy-map  configuration  command. 

To  remove  an  existing  policer  in  an  interface-level  policy  map,  use  the  no  police  rate-bps  burst-byte 
[exceed-action  {drop  I  policed-dscp-transmit}]  policy-map  configuration  command.  To  remove  the 
hierarchical  policy  map  and  port  associations,  use  the  no  service-policy  input  policy-map-name 
interface  configuration  command. 

This  example  shows  how  to  create  a  hierarchical  policy  map: 

Switch>enable 
Switch#conf igure  terminal 

Enter  configuration  commands,   one  per  line.   End  with  CNTL/Z. 
Switch (config) #access-list  101  permit  ip  any  any 
Switch (config) #class-map  cm-1 
Switch (conf ig-cmap) #match  access  101 

Switch (conf ig-cmap) #exit 
Switch (config) #exit 
Switch* 
Switch* 


Classifying,  Policing,  and  Marking  Traffic  by  Using  Aggregate  Policers 

By  using  an  aggregate  policer,  you  can  create  a  policer  that  is  shared  by  multiple  traffic  classes  within 
the  same  policy  map.  However,  you  cannot  use  the  aggregate  policer  across  different  policy  maps  or 
ports. 

You  can  configure  aggregate  policers  only  in  nonhierarchical  policy  maps  on  physical  ports. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  an  aggregate  policer: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos  aggregate-policer 

aggregate-policer-name  rate-bps  burst-byte 
exceed-action  {drop  1 
policed-dscp-transmit } 

Define  the  policer  parameters  that  can  be  applied  to  multiple  traffic 
classes  within  the  same  policy  map. 

By  default,  no  aggregate  policer  is  defined.  For  information  on  the 
number  of  policers  supported,  see  the  "Standard  QoS  Configuration 
Guidelines"  section  on  page  27-32. 

•  For  aggregate-policer-name,  specify  the  name  of  the  aggregate 
policer. 

•  For  rate-bps,  specify  average  traffic  rate  in  bits  per  second 
(bps).  The  range  is  8000  to  1000000000. 

•  For  burst-byte,  specify  the  normal  burst  size  in  bytes.  The  range 
is  8000  to  1000000. 

JUCL11  y    L11C  uL  LIU  11  IU  I  cl  IV  L    W  11C11  L11C  1  cllLo  £11  C  CA  LCCUCU  .   K->  SC  L11C 

exceed-action  drop  keywords  to  drop  the  packet.  Use  the 
exceed-action  policed-dscp-transmit  keywords  to  mark  down 
the  DSCP  value  (by  using  the  policed-DSCP  map)  and  to  send 
the  packet.  For  more  information,  see  the  "Configuring  the 
Policed-DSCP  Map"  section  on  page  27-60. 

class-map  [match-all  1  match-any] 

class-map-name 

Create  a  class  map  to  classify  traffic  as  necessary.  For  more 
information,  see  the  "Classifying  Traffic  by  Using  Class  Maps" 
section  on  page  27-45. 

policy-map  policy-map-name 

Create  a  policy  map  by  entering  the  policy  map  name,  and  enter 
policy-map  configuration  mode. 

For  more  information,  see  the  "Classifying,  Policing,  and  Marking 
Traffic  on  Physical  Ports  by  Using  Policy  Maps"  section  on 
page  27-47. 

class  class-map-name 

Define  a  traffic  classification,  and  enter  policy-map  class 
configuration  mode. 

For  more  information,  see  the  "Classifying,  Policing,  and  Marking 
Traffic  on  Physical  Ports  by  Using  Policy  Maps"  section  on 
page  27-47. 

police  aggregate  aggregate-policer-name 

Apply  an  aggregate  policer  to  multiple  classes  in  the  same  policy 
map. 

For  aggregate-policer-name,  enter  the  name  specified  in  Step  2. 

exit 

Return  to  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  attach  to  the  policy  map,  and  enter  interface 
configuration  mode. 

Valid  interfaces  include  physical  ports. 

service-policy  input  policy-map-name 

Specify  the  policy-map  name,  and  apply  it  to  an  ingress  port. 
Only  one  policy  map  per  ingress  port  is  supported. 

end 

Return  to  privileged  EXEC  mode. 
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Command 

Purpose 

Step  11 

show  mis  qos  aggregate-policer 

Verify  your  entries. 

[aggregate-policer-name] 

Step  12 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  remove  the  specified  aggregate  policer  from  a  policy  map,  use  the  no  police  aggregate 
aggregate-policer-name  policy  map  configuration  mode.  To  delete  an  aggregate  policer  and  its 
parameters,  use  the  no  mis  qos  aggregate-policer  aggregate-policer-name  global  configuration 
command. 

This  example  shows  how  to  create  an  aggregate  policer  and  attach  it  to  multiple  classes  within  a  policy 
map.  In  the  configuration,  the  IP  ACLs  permit  traffic  from  network  10. 1.0.0  and  from  host  1 1.3.1.1.  For 
traffic  coming  from  network  10.1.0.0,  the  DSCP  in  the  incoming  packets  is  trusted.  For  traffic  coming 
from  host  1 1.3.1.1,  the  DSCP  in  the  packet  is  changed  to  56.  The  traffic  rate  from  the  10.1.0.0  network 
and  from  host  11.3.1.1  is  policed.  If  the  traffic  exceeds  an  average  rate  of  48000  b/s  and  a  normal  burst 
size  of  8000  bytes,  its  DSCP  is  marked  down  (based  on  the  policed-DSCP  map)  and  sent.  The  policy 
map  is  attached  to  an  ingress  port. 


ed 


Switch 
Switch 
Switch 
polic 

Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 
Switch 


config)#  access-list  1  permit  10.1.0.0  0.0.255.255 
config)#  access-list  2  permit  11.3.1.1 

config)#  mis  qos  aggregate-police  transmitl  48000  8000  exceed-action 

dscp- transmit 
config)#  class-map  ipclassl 
conf ig-cmap) #  match  access-group  1 

conf ig-cmap) #  exit 

config)#  class-map  ipclass2 

conf ig-cmap) #  match  access-group  2 

conf ig-cmap) #  exit 

config)#  policy-map  aggflowl 

conf ig-pmap) #  class  ipclassl 

conf ig-pmap-c ) #  trust  dscp 

conf ig-pmap-c ) #  police  aggregate  transmitl 

conf ig-pmap-c) #  exit 

conf ig-pmap) #  class  ipclass2 

conf ig-pmap-c) #  set  dscp  56 

conf ig-pmap-c ) #  police  aggregate  transmitl 

conf ig-pmap-c ) #  exit 
conf ig-pmap) #  exit 

config)#  interface  gigabitethernetO/1 
config-if)#  service-policy  input  aggflowl 

config-if)#  exit 


Configuring  DSCP  Maps 

These  sections  contain  this  configuration  information: 

•  Configuring  the  CoS-to-DSCP  Map,  page  27-58  (optional) 

•  Configuring  the  IP-Precedence-to-DSCP  Map,  page  27-59  (optional) 

•  Configuring  the  Policed-DSCP  Map,  page  27-60  (optional,  unless  the  null  settings  in  the  map  are 
not  appropriate) 

•  Configuring  the  DSCP-to-CoS  Map,  page  27-61  (optional) 

•  Configuring  the  DSCP-to-DSCP-Mutation  Map,  page  27-62  (optional,  unless  the  null  settings  in  the 
map  are  not  appropriate) 

All  the  maps,  except  the  DSCP-to-DSCP-mutation  map,  are  globally  defined  and  are  applied  to  all  ports. 
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Configuring  the  CoS-to-DSCP  Map 

You  use  the  CoS-to-DSCP  map  to  map  CoS  values  in  incoming  packets  to  a  DSCP  value  that  QoS  uses 
internally  to  represent  the  priority  of  the  traffic. 

Table  27-12  shows  the  default  CoS-to-DSCP  map. 
Table  27- 12       Default  CoS-to-DSCP  Map 


CoS  Value 

DSCP  Value 

0 

0 

1 

8 

2 

16 

3 

24 

4 

32 

5 

40 

6 

48 

7 

56 

If  these  values  are  not  appropriate  for  your  network,  you  need  to  modify  them. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  modify  the  CoS-to-DSCP  map.  This 
procedure  is  optional. 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos  map  cos-dscp  dscpl...dscp8 

Modify  the  CoS-to-DSCP  map. 

For  dscpl ...dscp8,  enter  eight  DSCP  values  that  correspond  to  CoS  values 
0  to  7.  Separate  each  DSCP  value  with  a  space. 

The  DSCP  range  is  0  to  63. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  maps  cos-dscp 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  map,  use  the  no  mis  qos  cos-dscp  global  configuration  command. 
This  example  shows  how  to  modify  and  display  the  CoS-to-DSCP  map: 

Switch(conf ig) #  mis  qos  map  cos-dscp  10  15  20  25  30  35  40  45 

Switch (config) #  end 

Switch*  show  mis  qos  maps  cos-dscp 


Cos-dscp  map: 
cos  : 

dscp  : 


01234567 
10   15  20  25  30  35  40  45 
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Configuring  the  IP-Precedence-to-DSCP  Map 

You  use  the  IP-precedence-to-DSCP  map  to  map  IP  precedence  values  in  incoming  packets  to  a  DSCP 
value  that  QoS  uses  internally  to  represent  the  priority  of  the  traffic. 

Table  27-13  shows  the  default  IP-precedence-to-DSCP  map: 


Table  27- 13       Default  IP-Precedence-to-DSCP  Map 


IP  Precedence  Value 

DSCP  Value 

0 

0 

1 

8 

2 

16 

3 

24 

4 

32 

5 

40 

6 

48 

7 

56 

If  these  values  are  not  appropriate  for  your  network,  you  need  to  modify  them. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  modify  the  IP-precedence-to-DSCP  map. 
This  procedure  is  optional. 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

nils  qos  map  ip-prec-dscp 

dscpl...dscp8 

Modify  the  IP-precedence-to-DSCP  map. 

For  dscpl ...dscp8,  enter  eight  DSCP  values  that  correspond  to  the  IP 
precedence  values  0  to  7.  Separate  each  DSCP  value  with  a  space. 

The  DSCP  range  is  0  to  63. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  maps  ip-prec-dscp 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  map,  use  the  no  mis  qos  ip-prec-dscp  global  configuration  command. 
This  example  shows  how  to  modify  and  display  the  IP-precedence-to-DSCP  map: 

Switch ( config) #  mis  qos  map  ip-prec-dscp  10  15  20  25  30  35  40  45 

Switch (config) #  end 

Switch#  show  mis  qos  maps  ip-prec-dscp 

IpPrecedence-dscp  map: 

ipprec :  01234567 


dscp  : 


10   15  20  25  30  35  40  45 
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Configuring  the  Policed-DSCP  Map 

You  use  the  policed-DSCP  map  to  mark  down  a  DSCP  value  to  a  new  value  as  the  result  of  a  policing 
and  marking  action. 

The  default  policed-DSCP  map  is  a  null  map,  which  maps  an  incoming  DSCP  value  to  the  same  DSCP 
value. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  modify  the  policed-DSCP  map.  This 
procedure  is  optional. 


Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos  map  policed-dscp  dscp-list  to 
mark-down-dscp 

Modify  the  policed-DSCP  map. 

•  For  dscp-list,  enter  up  to  eight  DSCP  values  separated  by  spaces. 
Then  enter  the  to  keyword. 

•  For  mark-down-dscp,  enter  the  corresponding  policed  (marked  down) 
DSCP  value. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  maps  policed-dscp 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  map,  use  the  no  mis  qos  policed-dscp  global  configuration  command. 
This  example  shows  how  to  map  DSCP  50  to  57  to  a  marked-down  DSCP  value  of  0: 

Switch (config) #  mis  qos  map  policed-dscp  50  51  52  53  54  55  56  57  to  0 

Switch (config) #  end 

Switch*  show  mis  qos  maps  policed-dscp 

Policed-dscp  map: 

dl:d2  0123456789 


0  :  00  01 

1  :  10  11 

2  :  20  21 

3  :  30  31 

4  :  40  41 

5  :  00  00 

6  :  60  61 


02  03  04  05 

12  13  14  15 

22  23  24  25 

32  33  34  35 

42  43  44  45 

00  00  00  00 

62  63 


06  07  08  09 

16  17  18  19 

26  27  28  29 

36  37  38  39 

46  47  48  49 

00  00  58  59 


X   

Note      In  this  policed-DSCP  map,  the  marked-down  DSCP  values  are  shown  in  the  body  of  the  matrix.  The  dl 
column  specifies  the  most-significant  digit  of  the  original  DSCP;  the  d2  row  specifies  the 
least-significant  digit  of  the  original  DSCP.  The  intersection  of  the  dl  and  d2  values  provides  the 
marked-down  value.  For  example,  an  original  DSCP  value  of  53  corresponds  to  a  marked-down  DSCP 
value  of  0. 
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You  use  the  DSCP-to-CoS  map  to  generate  a  CoS  value,  which  is  used  to  select  one  of  the  four  egress 
queues. 

Table  27-14  shows  the  default  DSCP-to-CoS  map. 


Table  27- 14       Default  DSCP-to-CoS  Map 


DSCP  Value 

CoS  Value 

0-7 

0 

8-15 

1 

16-23 

2 

24-31 

3 

32-39 

4 

40-47 

5 

48-55 

6 

56-63 

7 

If  these  values  are  not  appropriate  for  your  network,  you  need  to  modify  them. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  modify  the  DSCP-to-CoS  map.  This 
procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos  map  dscp-cos  dscp-list  to  cos 

Modify  the  DSCP-to-CoS  map. 

•  For  dscp-list,  enter  up  to  eight  DSCP  values  separated  by  spaces. 
Then  enter  the  to  keyword. 

•  For  cos,  enter  the  CoS  value  to  which  the  DSCP  values  correspond. 
The  DSCP  range  is  0  to  63;  the  CoS  range  is  0  to  7. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  maps  dscp-to-cos 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


Step  3 
Step  4 
Step  5 


To  return  to  the  default  map,  use  the  no  mis  qos  dscp-cos  global  configuration  command. 

This  example  shows  how  to  map  DSCP  values  0,  8,  16,  24,  32,  40,  48,  and  50  to  CoS  value  0  and  to 
display  the  map: 

Switch (config) #  mis  qos  map  dscp-cos  0  8  16  24  32  40  48  50  to  0 

Switch (config) #  end 

Switch#  show  mis  qos  maps  dscp-cos 

Dscp-cos  map: 

dl    :     d2  0123456789 


00  00   00   00   00   00   00   00   00  01 

01  01   01   01   01   01   00   02   02  02 

02  02   02   02   00   03   03   03   03  03 
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3  :  03   03   00  04  04  04  04  04  04  04 

4  :  00   05   05  05  05  05  05  05  00  06 

5  :  00   06   06  06  06  06  07  07  07  07 

6  :  07   07   07  07 


V   

Note      In  the  above  DSCP-to-CoS  map,  the  CoS  values  are  shown  in  the  body  of  the  matrix.  The  dl  column 
specifies  the  most-significant  digit  of  the  DSCP;  the  d2  row  specifies  the  least-significant  digit  of  the 
DSCP.  The  intersection  of  the  dl  and  d2  values  provides  the  CoS  value.  For  example,  in  the 
DSCP-to-CoS  map,  a  DSCP  value  of  08  corresponds  to  a  CoS  value  of  0. 


Configuring  the  DSCP-to-DSCP-Mutation  Map 

If  two  QoS  domains  have  different  DSCP  definitions,  use  the  DSCP-to-DSCP-mutation  map  to  translate 
one  set  of  DSCP  values  to  match  the  definition  of  another  domain.  You  apply  the 
DSCP-to-DSCP-mutation  map  to  the  receiving  port  (ingress  mutation)  at  the  boundary  of  a  QoS 
administrative  domain. 

With  ingress  mutation,  the  new  DSCP  value  overwrites  the  one  in  the  packet,  and  QoS  treats  the  packet 
with  this  new  value.  The  switch  sends  the  packet  out  the  port  with  the  new  DSCP  value. 

You  can  configure  multiple  DSCP-to-DSCP-mutation  maps  on  an  ingress  port.  The  default 
DSCP-to-DSCP-mutation  map  is  a  null  map,  which  maps  an  incoming  DSCP  value  to  the  same  DSCP 
value. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  modify  the  DSCP-to-DSCP-mutation  map. 
This  procedure  is  optional. 


Step  1 
Step  2 


Step  3 

Step  4 
Step  5 


Step  6 
Step  7 
Step  8 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos  map  dscp -mutation 

dscp -mutation-name  in-dscp  to  out-dscp 

Modify  the  DSCP-to-DSCP-mutation  map. 

•  For  dscp -mutation-name,  enter  the  mutation  map  name.  You  can 
create  more  than  one  map  by  specifying  a  new  name. 

•  For  in-dscp,  enter  up  to  eight  DSCP  values  separated  by  spaces. 
Then  enter  the  to  keyword. 

•  For  out-dscp,  enter  a  single  DSCP  value. 
The  DSCP  range  is  0  to  63. 

interface  interface-id 

Specify  the  port  to  which  to  attach  the  map,  and  enter  interface 
configuration  mode. 

Valid  interfaces  include  physical  ports. 

mis  qos  trust  dscp 

Configure  the  ingress  port  as  a  DSCP-trusted  port.  By  default,  the  port 
is  not  trusted. 

mis  qos  dscp-mutation 

dscp -mutation-name 

Apply  the  map  to  the  specified  ingress  DSCP-trusted  port. 

For  dscp -mutation-name,  enter  the  mutation  map  name  specified  in 
Step  2. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  maps  dscp-mutation 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 
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To  return  to  the  default  map,  use  the  no  mis  qos  dscp-mutation  dscp-mutation-name  global 
configuration  command. 

This  example  shows  how  to  define  the  DSCP-to-DSCP-mutation  map.  All  the  entries  that  are  not 
explicitly  configured  are  not  modified  (remains  as  specified  in  the  null  map): 

Switch ( config) #  mis  qos  map  dscp-mutation  mutationl  1234567  to  0 
Switch (config) #  mis  qos  map  dscp-mutation  mutationl  8  9  10  11  12  13  to  10 
Switch ( config) #  mis  qos  map  dscp-mutation  mutationl  20  21  22  to  20 
Switch (config) #  mis  qos  map  dscp-mutation  mutationl  30  31  32  33  34  to  30 
Switch (config) #  interface  gigabitethernetO/1 
Switch ( config-if ) #  mis  qos  trust  dscp 
Switch (config-if) #  mis  qos  dscp-mutation  mutationl 
Switch (config-if ) #  end 

Switch;!   show  mis  qos  maps  dscp-mutation  mutationl 

Dscp-dscp  mutation  map: 
mutationl : 


dl 

d2  0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

0 

00 

00 

00 

00 

00 

00 

00 

00 

10 

10 

1 

10 

10 

10 

10 

14 

15 

16 

17 

18 

19 

2 

20 

20 

20 

23 

24 

25 

26 

27 

28 

29 

3 

30 

30 

30 

30 

30 

35 

36 

37 

38 

39 

4 

40 

41 

42 

43 

44 

45 

46 

47 

48 

49 

5 

50 

51 

52 

53 

54 

55 

56 

57 

58 

59 

6 

60 

61 

62 

63 

X   

Note      In  the  above  DSCP-to-DSCP-mutation  map,  the  mutated  values  are  shown  in  the  body  of  the  matrix.  The 
dl  column  specifies  the  most-significant  digit  of  the  original  DSCP;  the  d2  row  specifies  the 
least-significant  digit  of  the  original  DSCP.  The  intersection  of  the  dl  and  d2  values  provides  the 
mutated  value.  For  example,  a  DSCP  value  of  12  corresponds  to  a  mutated  value  of  10. 


Configuring  Ingress  Queue  Characteristics 

Depending  on  the  complexity  of  your  network  and  your  QoS  solution,  you  might  need  to  perform  all  of 
the  tasks  in  the  next  sections.  You  will  need  to  make  decisions  about  these  characteristics: 

•  Which  packets  are  assigned  (by  DSCP  or  CoS  value)  to  each  queue? 

•  What  drop  percentage  thresholds  apply  to  each  queue,  and  which  CoS  or  DSCP  values  map  to  each 
threshold? 

•  How  much  of  the  available  buffer  space  is  allocated  between  the  queues? 

•  How  much  of  the  available  bandwidth  is  allocated  between  the  queues? 

•  Is  there  traffic  (such  as  voice)  that  should  be  given  high  priority? 
These  sections  contain  this  configuration  information: 

•  Mapping  DSCP  or  CoS  Values  to  an  Ingress  Queue  and  Setting  WTD  Thresholds,  page  27-64 
(optional) 

•  Allocating  Buffer  Space  Between  the  Ingress  Queues,  page  27-65  (optional) 

•  Allocating  Bandwidth  Between  the  Ingress  Queues,  page  27-65  (optional) 

•  Configuring  the  Ingress  Priority  Queue,  page  27-66  (optional) 
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Mapping  DSCP  or  CoS  Values  to  an  Ingress  Queue  and  Setting  WTD  Thresholds 

You  can  prioritize  traffic  by  placing  packets  with  particular  DSCPs  or  CoSs  into  certain  queues  and 
adjusting  the  queue  thresholds  so  that  packets  with  lower  priorities  are  dropped. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  map  DSCP  or  CoS  values  to  an  ingress  queue 
and  to  set  WTD  thresholds.  This  procedure  is  optional. 


Command 

Purpose 

Step  1      configure  terminal 

Enter  global  configuration  mode. 

Step  2     mis  qos  srr-queue  input  dscp-map 

queue  queue-id  threshold  threshold-id 
dscpl...dscp8 

or 

mis  qos  srr-queue  input  cos-map 
queue  queue-id  threshold  threshold-id 
cosl...cos8 

Map  DSCP  or  CoS  values  to  an  ingress  queue  and  to  a  threshold  ID. 

By  default,  DSCP  values  0-39  and  48-63  are  mapped  to  queue  1  and 
threshold  1 .  DSCP  values  40-47  are  mapped  to  queue  2  and  threshold  1 . 

By  default,  CoS  values  0-4,  6,  and  7  are  mapped  to  queue  1  and  threshold 
1 .  CoS  value  5  is  mapped  to  queue  2  and  threshold  1 . 

•  For  queue-id,  the  range  is  1  to  2. 

•  For  threshold-id,  the  range  is  1  to  3.  The  drop-threshold  percentage 
for  threshold  3  is  predefined.  It  is  set  to  the  queue-full  state. 

•  For  dscpl...dscp8,  enter  up  to  eight  values,  and  separate  each  value 
with  a  space.  The  range  is  0  to  63. 

•  For  cosl...cos8,  enter  up  to  eight  values,  and  separate  each  value  with 
a  space.  The  range  is  0  to  7. 

Step  3     mis  qos  srr-queue  input  threshold 

queue-id  threshold-percentage! 
threshold-percentage2 

Assign  the  two  WTD  threshold  percentages  for  (threshold  1  and  2)  to  an 
ingress  queue.  The  default,  both  thresholds  are  set  to  100  percent. 

•  For  queue-id,  the  range  is  1  to  2. 

•  For  threshold-percentage  1  threshold-percentage2,  the  range  is  1  to 
100.  Separate  each  value  with  a  space. 

Each  threshold  value  is  a  percentage  of  the  total  number  of  queue 
descriptors  allocated  for  the  queue. 

Step  4  end 

Return  to  privileged  EXEC  mode. 

Step  5     show  mis  qos  maps 

Verify  your  entries. 

The  DSCP  input  queue  threshold  map  appears  as  a  matrix.  The  dl  column 
specifies  the  most-significant  digit  of  the  DSCP  number;  the  d2  row 
specifies  the  least-significant  digit  in  the  DSCP  number.  The  intersection 
of  the  dl  and  the  d2  values  provides  the  queue  ID  and  threshold  ID;  for 
example,  queue  2  and  threshold  1  (02-01). 

The  CoS  input  queue  threshold  map  shows  the  CoS  value  in  the  top  row 
and  the  corresponding  queue  ID  and  threshold  ID  in  the  second  row;  for 
example,  queue  2  and  threshold  2  (2-2). 

Step  6     copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  CoS  input  queue  threshold  map  or  the  default  DSCP  input  queue  threshold  map, 
use  the  no  mis  qos  srr-queue  input  cos-map  or  the  no  mis  qos  srr-queue  input  dscp-map  global 
configuration  command.  To  return  to  the  default  WTD  threshold  percentages,  use  the  no  mis  qos 
srr-queue  input  threshold  queue-id  global  configuration  command. 
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This  example  shows  how  to  map  DSCP  values  0  to  6  to  ingress  queue  1  and  to  threshold  1  with  a  drop 
threshold  of  50  percent.  It  maps  DSCP  values  20  to  26  to  ingress  queue  1  and  to  threshold  2  with  a  drop 
threshold  of  70  percent: 

Switch (config) #  mis  qos  srr-queue  input  dscp-map  queue  1  threshold  10123456 
Switch (config) #  mis  qos  srr-queue  input  dscp-map  queue  1  threshold  2  20  21  22  23  24  25  26 
Switch (config) #  mis  qos  srr-queue  input  threshold  1  50  70 

In  this  example,  the  DSCP  values  (0  to  6)  are  assigned  the  WTD  threshold  of  50  percent  and  will  be 
dropped  sooner  than  the  DSCP  values  (20  to  26)  assigned  to  the  WTD  threshold  of  70  percent. 


Allocating  Buffer  Space  Between  the  Ingress  Queues 


You  define  the  ratio  (allocate  the  amount  of  space)  with  which  to  divide  the  ingress  buffers  between  the 
two  queues.  The  buffer  and  the  bandwidth  allocation  control  how  much  data  can  be  buffered  before 
packets  are  dropped. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  allocate  the  buffers  between  the  ingress 
queues.  This  procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos  srr-queue  input  buffers 

percentage!  percentage! 

Allocate  the  buffers  between  the  ingress  queues 

By  default  90  percent  of  the  buffers  are  allocated  to  queue  1,  and  10 
percent  of  the  buffers  are  allocated  to  queue  2. 

For  percentage!  percentage!,  the  range  is  0  to  100.  Separate  each  value 
with  a  space. 

You  should  allocate  the  buffers  so  that  the  queues  can  handle  any 
incoming  bursty  traffic. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  interface  buffer 

or 

show  mis  qos  input-queue 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 


Step  3 
Step  4 


Step  5 


To  return  to  the  default  setting,  use  the  no  mis  qos  srr-queue  input  buffers  global  configuration 
command. 

This  example  shows  how  to  allocate  60  percent  of  the  buffer  space  to  ingress  queue  1  and  40  percent  of 
the  buffer  space  to  ingress  queue  2: 


Switch (config) #  mis  qos  srr-queue  input  buffers  60  40 


Allocating  Bandwidth  Between  the  Ingress  Queues 

You  need  to  specify  how  much  of  the  available  bandwidth  is  allocated  between  the  ingress  queues.  The 
ratio  of  the  weights  is  the  ratio  of  the  frequency  in  which  the  SRR  scheduler  sends  packets  from  each 
queue.  The  bandwidth  and  the  buffer  allocation  control  how  much  data  can  be  buffered  before  packets 
are  dropped.  On  ingress  queues,  SRR  operates  only  in  shared  mode. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  allocate  bandwidth  between  the  ingress 
queues.  This  procedure  is  optional. 


Step  1 
Step  2 


Step  3 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos  srr-queue  input  bandwidth 

weightl  weight! 

Assign  shared  round  robin  weights  to  the  ingress  queues. 

The  default  setting  for  weightl  and  weightl  is  4  (1/2  of  the  bandwidth  is 
equally  shared  between  the  two  queues). 

For  weight  J  find  weipht?  flip  ranpp  is  1  to  TOO  Spnarate  each  valup  with 
a  space. 

SRR  services  the  priority  queue  for  its  configured  weight  as  specified  by 
the  bandwidth  keyword  in  the  mis  qos  srr-queue  input  priority-queue 
queue-id  bandwidth  weight  global  configuration  command.  Then,  SRR 
shares  the  remaining  bandwidth  with  both  ingress  queues  and  services 
them  as  specified  by  the  weights  configured  with  the  mis  qos  srr-queue 
input  bandwidth  weightl  weight2  global  configuration  command.  For 
more  information,  see  the  "Configuring  the  Ingress  Priority  Queue" 
section  on  page  27-66. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  interface  queueing 

or 

show  mis  qos  input-queue 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  mis  qos  srr-queue  input  bandwidth  global  configuration 
command. 

This  example  shows  how  to  assign  the  ingress  bandwidth  to  the  queues.  Priority  queueing  is  disabled, 
and  the  shared  bandwidth  ratio  allocated  to  queue  1  is  25/(25+75)  and  to  queue  2  is  75/(25+75): 

Switch (config) #  mis  qos  srr-queue  input  priority-queue  2  bandwidth  0 
Switch (config) #  mis  qos  srr-queue  input  bandwidth  25  75 


Configuring  the  Ingress  Priority  Queue 

You  should  use  the  priority  queue  only  for  traffic  that  needs  to  be  expedited  (for  example,  voice  traffic, 
which  needs  minimum  delay  and  jitter). 

The  priority  queue  is  guaranteed  part  of  the  bandwidth  to  reduce  the  delay  and  jitter  under  heavy  network 
traffic  on  an  oversubscribed  ring  (when  there  is  more  traffic  than  the  backplane  can  carry,  and  the  queues 
are  full  and  dropping  frames). 

SRR  services  the  priority  queue  for  its  configured  weight  as  specified  by  the  bandwidth  keyword  in  the 
mis  qos  srr-queue  input  priority-queue  queue-id  bandwidth  weight  global  configuration  command. 
Then,  SRR  shares  the  remaining  bandwidth  with  both  ingress  queues  and  services  them  as  specified  by 
the  weights  configured  with  the  mis  qos  srr-queue  input  bandwidth  weightl  weightl  global 
configuration  command. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  priority  queue.  This  procedure 
is  optional. 


Step  1 
Step  2 


Step  3 
Step  4 


Step  5 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos  srr-queue  input 
priority-queue  queue-id  bandwidth 
weight 

Assign  a  queue  as  the  priority  queue  and  guarantee  bandwidth  on  the 
internal  ring  if  the  ring  is  congested. 

By  default,  the  priority  queue  is  queue  2,  and  10  percent  of  the  bandwidth 
is  allocated  to  it. 

•  For  queue-id,  the  range  is  1  to  2. 

•  For  bandwidth  weight,  assign  the  bandwidth  percentage  of  the 
internal  ring.  The  range  is  0  to  40.  The  amount  of  bandwidth  that  can 
be  guaranteed  is  restricted  because  a  large  value  affects  the  entire  ring 
and  can  degrade  performance. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  interface  queueing 

or 

show  mis  qos  input-queue 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  mis  qos  srr-queue  input  priority-queue  queue-id  global 
configuration  command.  To  disable  priority  queueing,  set  the  bandwidth  weight  to  0,  for  example,  mis 
qos  srr-queue  input  priority-queue  queue-id  bandwidth  0. 

This  example  shows  how  to  assign  the  ingress  bandwidths  to  the  queues.  Queue  1  is  the  priority  queue 
with  10  percent  of  the  bandwidth  allocated  to  it.  The  bandwidth  ratios  allocated  to  queues  1  and  2  is 
4/(4+4).  SRR  services  queue  1  (the  priority  queue)  first  for  its  configured  10  percent  bandwidth.  Then 
SRR  equally  shares  the  remaining  90  percent  of  the  bandwidth  between  queues  1  and  2  by  allocating  45 
percent  to  each  queue: 

Switch (config) #  mis  qos  srr-queue  input  priority-queue  1  bandwidth  10 
Switch (config) #  mis  qos  srr-queue  input  bandwidth  4  4 


Configuring  Egress  Queue  Characteristics 

Depending  on  the  complexity  of  your  network  and  your  QoS  solution,  you  might  need  to  perform  all  of 
the  tasks  in  the  next  sections.  You  will  need  to  make  decisions  about  these  characteristics: 

•  Which  packets  are  mapped  by  DSCP  or  CoS  value  to  each  queue  and  threshold  ID? 

•  What  drop  percentage  thresholds  apply  to  the  queue-set  (four  egress  queues  per  port),  and  how  much 
reserved  and  maximum  memory  is  needed  for  the  traffic  type? 

•  How  much  of  the  fixed  buffer  space  is  allocated  to  the  queue-set? 

•  Does  the  bandwidth  of  the  port  need  to  be  rate  limited? 

•  How  often  should  the  egress  queues  be  serviced  and  which  technique  (shaped,  shared,  or  both) 
should  be  used? 
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These  sections  contain  this  configuration  information: 

•  Configuration  Guidelines,  page  27-68 

•  Allocating  Buffer  Space  to  and  Setting  WTD  Thresholds  for  an  Egress  Queue-Set,  page  27-68 
(optional) 

•  Mapping  DSCP  or  CoS  Values  to  an  Egress  Queue  and  to  a  Threshold  ID,  page  27-70  (optional) 

•  Configuring  SRR  Shaped  Weights  on  Egress  Queues,  page  27-72  (optional) 

•  Configuring  SRR  Shared  Weights  on  Egress  Queues,  page  27-73  (optional) 

•  Configuring  the  Egress  Expedite  Queue,  page  27-74  (optional) 

•  Limiting  the  Bandwidth  on  an  Egress  Interface,  page  27-74  (optional) 

Configuration  Guidelines 

Follow  these  guidelines  when  the  expedite  queue  is  enabled  or  the  egress  queues  are  serviced  based  on 
their  SRR  weights: 

•  If  the  egress  expedite  queue  is  enabled,  it  overrides  the  SRR  shaped  and  shared  weights  for  queue  1. 

•  If  the  egress  expedite  queue  is  disabled  and  the  SRR  shaped  and  shared  weights  are  configured,  the 
shaped  mode  overrides  the  shared  mode  for  queue  1,  and  SRR  services  this  queue  in  shaped  mode. 

•  If  the  egress  expedite  queue  is  disabled  and  the  SRR  shaped  weights  are  not  configured,  SRR 
services  this  queue  in  shared  mode. 

Allocating  Buffer  Space  to  and  Setting  WTD  Thresholds  for  an  Egress  Queue-Set 

You  can  guarantee  the  availability  of  buffers,  set  WTD  thresholds,  and  configure  the  maximum  memory 
allocation  for  a  queue-set  by  using  the  mis  qos  queue-set  output  qset-id  threshold  queue-id 
drop-thresholdl  drop-threshold2  reserved-threshold  maximum-threshold  global  configuration  command. 

Each  threshold  value  is  a  percentage  of  the  queue's  allocated  memory,  which  you  specify  by  using  the 
mis  qos  queue-set  output  qset-id  buffers  allocation!  ...  allocation4  global  configuration  command. 
The  queues  use  WTD  to  support  distinct  drop  percentages  for  different  traffic  classes. 

^   

Note      The  egress  queue  default  settings  are  suitable  for  most  situations.  You  should  change  them  only  when 

you  have  a  thorough  understanding  of  the  egress  queues  and  if  these  settings  do  not  meet  your  QoS 

solution. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  memory  allocation  and  to  drop 
thresholds  for  a  queue-set.  This  procedure  is  optional. 


Command 


Purpose 


Step  1 
Step  2 


configure  terminal 


Enter  global  configuration  mode. 


mis  qos  queue-set  output  qset-id 
buffers  allocation!  ...  allocation4 


Allocate  buffers  to  a  queue-set. 

By  default,  all  allocation  values  are  equally  mapped  among  the  four 
queues  (25,  25,  25,  25).  Each  queue  has  1/4  of  the  buffer  space. 

•  For  qset-id,  enter  the  ID  of  the  queue-set.  The  range  is  1  to  2.  Each 
port  belongs  to  a  queue-set,  which  defines  all  the  characteristics  of 
the  four  egress  queues  per  port. 

•  For  allocationl ...  allocation4,  specify  four  percentages,  one  for  each 
queue  in  the  queue-set.  For  allocationl ,  allocation3,  and  allocation4, 
the  range  is  0  to  99.  For  allocation!,  the  range  is  1  to  100  (including 
the  CPU  buffer). 

Allocate  buffers  according  to  the  importance  of  the  traffic;  for  example, 
give  a  large  percentage  of  the  buffer  to  the  queue  with  the  highest-priority 
traffic. 


Step  3 


mis  qos  queue-set  output  qset-id 
threshold  queue-id  drop-thresholdl 
drop-threshold2  reserved-threshold 
maximum-threshold 


Step  4     interface  interface-id 


Configure  the  WTD  thresholds,  guarantee  the  availability  of  buffers,  and 
configure  the  maximum  memory  allocation  for  the  queue-set  (four  egress 
queues  per  port). 

By  default,  the  WTD  thresholds  for  queues  1,  3,  and  4  are  set  to  100 
percent.  The  thresholds  for  queue  2  are  set  to  200  percent.  The  reserved 
thresholds  for  queues  1,  2,  3,  and  4  are  set  to  50  percent.  The  maximum 
thresholds  for  all  queues  are  set  to  400  percent. 

•  For  qset-id,  enter  the  ID  of  the  queue-set  specified  in  Step  2.  The 
range  is  1  to  2. 

•  For  queue-id,  enter  the  specific  queue  in  the  queue-set  on  which  the 
command  is  performed.  The  range  is  1  to  4. 

•  For  drop-thresholdl  drop-threshold2,  specify  the  two  WTD 
thresholds  expressed  as  a  percentage  of  the  queue's  allocated 
memory.  The  range  is  1  to  400  percent. 

•  For  reserved-threshold,  enter  the  amount  of  memory  to  be  guaranteed 
(reserved)  for  the  queue  expressed  as  a  percentage  of  the  allocated 
memory.  The  range  is  1  to  100  percent. 

•  For  maximum-threshold,  enable  a  queue  in  the  full  condition  to  obtain 
more  buffers  than  are  reserved  for  it.  This  is  the  maximum  memory 
the  queue  can  have  before  the  packets  are  dropped  if  the  common 
pool  is  not  empty.  The  range  is  1  to  400  percent. 

Specify  the  port  of  the  outbound  traffic,  and  enter  interface  configuration 
mode. 


Step  5     queue-set  qset-id 


Map  the  port  to  a  queue-set. 

For  qset-id,  enter  the  ID  of  the  queue-set  specified  in  Step  2.  The  range  is 
1  to  2.  The  default  is  1. 


Step  6  end 


Return  to  privileged  EXEC  mode. 
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Command 

Purpose 

Step  7 

show  mis  qos  interface  [interface-id] 

Verify  your  entries. 

buffers 

Step  8 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  mis  qos  queue-set  output  qset-id  buffers  global 
configuration  command.  To  return  to  the  default  WTD  threshold  percentages,  use  the  no  mis  qos 
queue-set  output  qset-id  threshold  [queue-id]  global  configuration  command. 

This  example  shows  how  to  map  a  port  to  queue-set  2.  It  allocates  40  percent  of  the  buffer  space  to  egress 
queue  1  and  20  percent  to  egress  queues  2,  3,  and  4.  It  configures  the  drop  thresholds  for  queue  2  to  40 
and  60  percent  of  the  allocated  memory,  guarantees  (reserves)  100  percent  of  the  allocated  memory,  and 
configures  200  percent  as  the  maximum  memory  that  this  queue  can  have  before  packets  are  dropped: 

Switch (config) #  mis  qos  queue-set  output  2  buffers  40  20  20  20 
Switch (config) #  mis  qos  queue-set  output  2  threshold  2  40  60  100  200 
Switch (config) #  interface  gigabitethernetO/1 

Switch (config-if) #  queue-set  2 


Mapping  DSCP  or  CoS  Values  to  an  Egress  Queue  and  to  a  Threshold  ID 

You  can  prioritize  traffic  by  placing  packets  with  particular  DSCPs  or  costs  of  service  into  certain 
queues  and  adjusting  the  queue  thresholds  so  that  packets  with  lower  priorities  are  dropped. 

^   

Note      The  egress  queue  default  settings  are  suitable  for  most  situations.  You  should  change  them  only  when 

you  have  a  thorough  understanding  of  the  egress  queues  and  if  these  settings  do  not  meet  your  QoS 

solution. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  map  DSCP  or  CoS  values  to  an  egress  queue 
and  to  a  threshold  ID.  This  procedure  is  optional. 


Command 


Purpose 


Step  1 
Step  2 


configure  terminal 


Enter  global  configuration  mode. 


mis  qos  srr-queue  output  dscp-map 
queue  queue-id  threshold  threshold-id 
dscpl...dscp8 


or 


mis  qos  srr-queue  output  cos-map 
queue  queue-id  threshold  threshold-id 
cosl...cos8 


Step  3  end 


Map  DSCP  or  CoS  values  to  an  egress  queue  and  to  a  threshold  ID. 

By  default,  DSCP  values  0-15  are  mapped  to  queue  2  and  threshold  1. 
DSCP  values  16-31  are  mapped  to  queue  3  and  threshold  1.  DSCP  values 
32-39  and  48-63  are  mapped  to  queue  4  and  threshold  1.  DSCP  values 
40-47  are  mapped  to  queue  1  and  threshold  1 . 

By  default,  CoS  values  0  and  1  are  mapped  to  queue  2  and  threshold  1. 
CoS  values  2  and  3  are  mapped  to  queue  3  and  threshold  1.  CoS  values  4, 
6,  and  7  are  mapped  to  queue  4  and  threshold  1 .  CoS  value  5  is  mapped  to 
queue  1  and  threshold  1. 

•  For  queue-id,  the  range  is  1  to  4. 

•  For  threshold-id,  the  range  is  1  to  3.  The  drop-threshold  percentage 
for  threshold  3  is  predefined.  It  is  set  to  the  queue-full  state. 

•  For  dscpl ...dscpS,  enter  up  to  eight  values,  and  separate  each  value 
with  a  space.  The  range  is  0  to  63. 

•  For  cosl...cos8,  enter  up  to  eight  values,  and  separate  each  value  with 
a  space.  The  range  is  0  to  7. 

Return  to  privileged  EXEC  mode. 


Step  4     show  mis  qos  maps 


Step  5     copy  running-config  startup-config 


Verify  your  entries. 

The  DSCP  output  queue  threshold  map  appears  as  a  matrix.  The  dl 
column  specifies  the  most-significant  digit  of  the  DSCP  number;  the  d2 
row  specifies  the  least-significant  digit  in  the  DSCP  number.  The 
intersection  of  the  dl  and  the  d2  values  provides  the  queue  ID  and 
threshold  ID;  for  example,  queue  2  and  threshold  1  (02-01). 

The  CoS  output  queue  threshold  map  shows  the  CoS  value  in  the  top  row 
and  the  corresponding  queue  ID  and  threshold  ID  in  the  second  row;  for 
example,  queue  2  and  threshold  2  (2-2). 

(Optional)  Save  your  entries  in  the  configuration  file. 


To  return  to  the  default  DSCP  output  queue  threshold  map  or  the  default  CoS  output  queue  threshold 
map,  use  the  no  mis  qos  srr-queue  output  dscp-map  or  the  no  mis  qos  srr-queue  output  cos-map 

global  configuration  command. 

This  example  shows  how  to  map  DSCP  values  10  and  11  to  egress  queue  1  and  to  threshold  2: 

Switch (config) #  mis  qos  srr-queue  output  dscp-map  queue  1  threshold  2  10  11 
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Configuring  SRR  Shaped  Weights  on  Egress  Queues 

You  can  specify  how  much  of  the  available  bandwidth  is  allocated  to  each  queue.  The  ratio  of  the 
weights  is  the  ratio  of  frequency  in  which  the  SRR  scheduler  sends  packets  from  each  queue. 

You  can  configure  the  egress  queues  for  shaped  or  shared  weights,  or  both.  Use  shaping  to  smooth  bursty 
traffic  or  to  provide  a  smoother  output  over  time.  For  information  about  shaped  weights,  see  the  "SRR 
Shaping  and  Sharing"  section  on  page  27-14.  For  information  about  shared  weights,  see  the 
"Configuring  SRR  Shared  Weights  on  Egress  Queues"  section  on  page  27-73. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  assign  the  shaped  weights  and  to  enable 
bandwidth  shaping  on  the  four  egress  queues  mapped  to  a  port.  This  procedure  is  optional. 


Command 
Step  1      configure  terminal 
Step  2     interface  interface-id 


Purpose 

Enter  global  configuration  mode. 

Specify  the  port  of  the  outbound  traffic,  and  enter  interface  configuration 
mode. 


Step  3     srr-queue  bandwidth  shape  weightl 
weight2  weight3  weight4 


Assign  SRR  weights  to  the  egress  queues. 

By  default,  weightl  is  set  to  25;  weight2,  weight3,  and  weight4  are  set  to  0, 
and  these  queues  are  in  shared  mode. 

For  weightl  weight2  weight3  weight4,  enter  the  weights  to  control  the 
percentage  of  the  port  that  is  shaped.  The  inverse  ratio  (l/weight)  controls 
the  shaping  bandwidth  for  this  queue.  Separate  each  value  with  a  space. 
The  range  is  0  to  65535. 

If  you  configure  a  weight  of  0,  the  corresponding  queue  operates  in  shared 
mode.  The  weight  specified  with  the  srr-queue  bandwidth  shape 
command  is  ignored,  and  the  weights  specified  with  the  srr-queue 
bandwidth  share  interface  configuration  command  for  a  queue  come  into 
effect.  When  configuring  queues  in  the  same  queue-set  for  both  shaping 
and  sharing,  make  sure  that  you  configure  the  lowest  number  queue  for 
shaping. 

The  shaped  mode  overrides  the  shared  mode. 


Step  4  end 

Step  5     show  mis  qos  interface  interface-id 
queueing 


Return  to  privileged  EXEC  mode. 
Verify  your  entries. 


Step  6     copy  running-config  startup-config 


(Optional)  Save  your  entries  in  the  configuration  file. 


To  return  to  the  default  setting,  use  the  no  srr-queue  bandwidth  shape  interface  configuration 
command. 

This  example  shows  how  to  configure  bandwidth  shaping  on  queue  1.  Because  the  weight  ratios  for 
queues  2,  3,  and  4  are  set  to  0,  these  queues  operate  in  shared  mode.  The  bandwidth  weight  for  queue  1 
is  1/8,  which  is  12.5  percent: 

Switch (config) #  interface  gigabitethernetO/1 

Switch (config-if) #  srr-queue  bandwidth  shape  8  0  0  0 
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Configuring  SRR  Shared  Weights  on  Egress  Queues 

In  shared  mode,  the  queues  share  the  bandwidth  among  them  according  to  the  configured  weights.  The 
bandwidth  is  guaranteed  at  this  level  but  not  limited  to  it.  For  example,  if  a  queue  empties  and  does  not 
require  a  share  of  the  link,  the  remaining  queues  can  expand  into  the  unused  bandwidth  and  share  it 
among  them.  With  sharing,  the  ratio  of  the  weights  controls  the  frequency  of  dequeuing;  the  absolute 
values  are  meaningless. 


Note      The  egress  queue  default  settings  are  suitable  for  most  situations.  You  should  change  them  only  when 
you  have  a  thorough  understanding  of  the  egress  queues  and  if  these  settings  do  not  meet  your  QoS 
solution. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  assign  the  shared  weights  and  to  enable 
bandwidth  sharing  on  the  four  egress  queues  mapped  to  a  port.  This  procedure  is  optional. 


Step  1 
Step  2 

Step  3 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  of  the  outbound  traffic,  and  enter  interface  configuration 
mode. 

srr-queue  bandwidth  share  weightl 
weight2  weight3  weight4 

Assign  SRR  weights  to  the  egress  queues. 

By  default,  all  four  weights  are  25  (1/4  of  the  bandwidth  is  allocated  to 
each  queue). 

For  weightl  weight!  weight3  weight4,  enter  the  weights  to  control  the 
ratio  of  the  frequency  in  which  the  SRR  scheduler  sends  packets.  Separate 
each  value  with  a  space.  The  range  is  1  to  255. 

end 

Return  to  privileged  EXEC  mode. 

show  mis  qos  interface  interface-id 
queueing 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  srr-queue  bandwidth  share  interface  configuration 
command. 

This  example  shows  how  to  configure  the  weight  ratio  of  the  SRR  scheduler  running  on  an  egress  port. 
Four  queues  are  used,  and  the  bandwidth  ratio  allocated  for  each  queue  in  shared  mode  is  1/(1+2+3+4), 
2/(1+2+3+4),  3/(1+2+3+4),  and  4/(1+2+3+4),  which  is  10  percent,  20  percent,  30  percent,  and  40 
percent  for  queues  1,  2,  3,  and  4.  This  means  that  queue  4  has  four  times  the  bandwidth  of  queue  1,  twice 
the  bandwidth  of  queue  2,  and  one-and-a-third  times  the  bandwidth  of  queue  3. 

Switch (config) #  interface  gigabitethernetO/1 

Switch (config-if) #  srr-queue  bandwidth  share  12  3  4 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  j 


27-73 


S    Configuring  Standard  QoS 


Chapter  27     Configuring  QoS  | 


Configuring  the  Egress  Expedite  Queue 

You  can  ensure  that  certain  packets  have  priority  over  all  others  by  queuing  them  in  the  egress  expedite 
queue.  SRR  services  this  queue  until  it  is  empty  before  servicing  the  other  queues. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  enable  the  egress  expedite  queue.  This 
procedure  is  optional. 


Step  1 
Step  2 
Step  3 
Step  4 


Step  5 
Step  6 
Step  7 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

mis  qos 

Enable  QoS  on  a  switch. 

interface  interface-id 

Specify  the  egress  port,  and  enter  interface  configuration  mode. 

priority-queue  out 

Enable  the  egress  expedite  queue,  which  is  disabled  by  default. 

When  you  configure  this  command,  the  SRR  weight  and  queue  size  ratios 
are  affected  because  there  is  one  fewer  queue  participating  in  SRR.  This 
means  that  weightl  in  the  srr-queue  bandwidth  shape  or  the  srr-queue 
bandwidth  share  command  is  ignored  (not  used  in  the  ratio  calculation). 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  disable  the  egress  expedite  queue,  use  the  no  priority-queue  out  interface  configuration  command. 

This  example  shows  how  to  enable  the  egress  expedite  queue  when  the  SRR  weights  are  configured.  The 
egress  expedite  queue  overrides  the  configured  SRR  weights. 

Switch (config) #  interface  gigabitethernetO/1 
Switch (config-if) #  srr-queue  bandwidth  shape  25  0  0  0 
Switch (config-if) #  srr-queue  bandwidth  share  30  20  25  25 
Switch (config-if ) #  priority-queue  out 

Switch (config-if ) #  end 


Limiting  the  Bandwidth  on  an  Egress  Interface 

You  can  limit  the  bandwidth  on  an  egress  port.  For  example,  if  a  customer  pays  only  for  a  small 
percentage  of  a  high-speed  link,  you  can  limit  the  bandwidth  to  that  amount. 


Note      The  egress  queue  default  settings  are  suitable  for  most  situations.  You  should  change  them  only  when 
you  have  a  thorough  understanding  of  the  egress  queues  and  if  these  settings  do  not  meet  your  QoS 
solution. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  limit  the  bandwidth  on  an  egress  port.  This 
procedure  is  optional. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

interface  interface-id 

Specify  the  port  to  be  rate  limited,  and  enter  interface  configuration  mode. 
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Command 

Purpose 

Step  3 

srr-queue  bandwidth  limit  weightl 

Specify  the  percentage  of  the  port  speed  to  which  the  port  should  be 
limited.  The  range  is  10  to  90. 

By  default,  the  port  is  not  rate  limited  and  is  set  to  100  percent. 

Step  4 

end 

Return  to  privileged  EXEC  mode. 

Step  5 

show  mis  qos  interface  [interface-id] 
queueing 

Verify  your  entries. 

Step  6 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  to  the  default  setting,  use  the  no  srr-queue  bandwidth  limit  interface  configuration 
command. 

This  example  shows  how  to  limit  the  bandwidth  on  a  port  to  80  percent: 

Switch (config) #  interface  gigabitethernetO/1 
Switch ( config-if ) #  srr-queue  bandwidth  limit  80 

When  you  configure  this  command  to  80  percent,  the  port  is  idle  20  percent  of  the  time.  The  line  rate 
drops  to  80  percent  of  the  connected  speed,  which  is  800  Mb/s.  These  values  are  not  exact  because  the 
hardware  adjusts  the  line  rate  in  increments  of  six. 

Displaying  Standard  QoS  Information 

To  display  standard  QoS  information,  use  one  or  more  of  the  privileged  EXEC  commands  in 
Table  27-15: 


Table  27- 15        Commands  for  Displaying  Standard  QoS  Information 


Command 

Purpose 

show  class-map  [class-map-name] 

Display  QoS  class  maps,  which  define  the  match  criteria  to 
classify  traffic. 

show  mis  qos 

Display  global  QoS  configuration  information. 

show  mis  qos  aggregate-policer 

[aggregate-policer-name] 

Display  the  aggregate  policer  configuration. 

show  mis  qos  input-queue 

Display  QoS  settings  for  the  ingress  queues. 

show  mis  qos  interface  [interface-id]  [buffers  1  policers  1 
queueing  1  statistics] 

Display  QoS  information  at  the  port  level,  including  the  buffer 
allocation,  which  ports  have  configured  policers,  the  queueing 
strategy,  and  the  ingress  and  egress  statistics. 

show  mis  qos  maps  [cos-dscp  1  cos-input-q  1 
cos-output-q  1  dscp-cos  1  dscp-input-q  1  dscp-mutation 
dscp-mutation-name  1  dscp-output-q  1  ip-prec-dscp  1 
policed-dscp] 

Display  QoS  mapping  information. 

show  mis  qos  queue-set  [qset-id] 

Display  QoS  settings  for  the  egress  queues. 

show  mis  qos  vlan  vlan-id 

Display  the  policy  maps  attached  to  the  specified  SVI. 
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Table  27- 15        Commands  for  Displaying  Standard  QoS  Information  (continued) 


Command 

Purpose 

show  policy-map  [policy-map-name  [class 
class-map-name]] 

Display  QoS  policy  maps,  which  define  classification  criteria  for 
incoming  traffic. 

Note     Do  not  use  the  show  policy-map  interface  privileged 
EXEC  command  to  display  classification  information 
for  incoming  traffic.  The  control-plane  and  interface 

keywords  are  not  supported,  and  the  statistics  shown  in 
the  display  should  be  ignored. 

show  running-config  1  include  rewrite 

Display  the  DSCP  transparency  setting. 
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Configuring  EtherChannels  and  Layer  2  Trunk 
Failover 


This  chapter  describes  how  to  configure  EtherChannels  on  Layer  2  ports  on  the  switch.  EtherChannel 
provides  fault-tolerant  high-speed  links  between  switches,  routers,  and  servers.  You  can  use  it  to 
increase  the  bandwidth  between  the  wiring  closets  and  the  data  center,  and  you  can  deploy  it  anywhere 
in  the  network  where  bottlenecks  are  likely  to  occur.  EtherChannel  provides  automatic  recovery  for  the 
loss  of  a  link  by  redistributing  the  load  across  the  remaining  links.  If  a  link  fails,  EtherChannel  redirects 
traffic  from  the  failed  link  to  the  remaining  links  in  the  channel  without  intervention. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release. 

This  chapter  consists  of  these  sections: 

•  Understanding  EtherChannels,  page  28-1 

•  Configuring  EtherChannels,  page  28-8 

•  Displaying  EtherChannel,  PAgP,  and  LACP  Status,  page  28-17 

•  Understanding  Layer  2  Trunk  Failover,  page  28-17 

Understanding  EtherChannels 

These  sections  describe  how  EtherChannels  work: 

•  EtherChannel  Overview,  page  28-2 

•  Port-Channel  Interfaces,  page  28-3 

•  Port  Aggregation  Protocol,  page  28-4 

•  Link  Aggregation  Control  Protocol,  page  28-5 

•  EtherChannel  On  Mode,  page  28-6 

•  Load  Balancing  and  Forwarding  Methods,  page  28-6 
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EtherChannel  Overview 

An  EtherChannel  consists  of  individual  Gigabit  Ethernet  links  bundled  into  a  single  logical  link  as 
shown  in  Figure  28-1. 

Figure  28- 1         Typical  EtherChannel  Configuration 


Catalyst  6500 
series  switch 


Blade  Blade 
Server  1  Server  16 


In  Figure  28-1,  the  EtherChannel  provides  full-duplex  bandwidth  up  to  8  Gb/s  (Gigabit  EtherChannel) 
between  your  switch  and  another  switch  or  host. 

Each  EtherChannel  can  consist  of  up  to  eight  compatibly  configured  Ethernet  ports.  All  ports  in  each 
EtherChannel  must  be  configured  as  Layer  2  ports.  The  number  of  EtherChannels  is  limited  to  48.  For 
more  information,  see  the  "EtherChannel  Configuration  Guidelines"  section  on  page  28-9. 

You  can  configure  an  EtherChannel  in  one  of  these  modes:  Port  Aggregation  Protocol  (PAgP),  Link 
Aggregation  Control  Protocol  (LACP),  or  On.  Configure  both  ends  of  the  EtherChannel  in  the  same 
mode: 

•  When  you  configure  one  end  of  an  EtherChannel  in  either  PAgP  or  LACP  mode,  the  system 
negotiates  with  the  other  end  of  the  channel  to  determine  which  ports  should  become  active.  In 
previous  releases,  the  incompatible  ports  were  suspended.  Beginning  with  Cisco  IOS  Release 
12.2(35)SE,  instead  of  a  suspended  state,  the  local  port  is  put  into  an  independent  state  and  continues 
to  carry  data  traffic  as  would  any  other  single  link.  The  port  configuration  does  not  change,  but  the 
port  does  not  participate  in  the  EtherChannel. 

•  When  you  configure  an  EtherChannel  in  the  on  mode,  no  negotiations  take  place.  The  switch  forces 
all  compatible  ports  to  become  active  in  the  EtherChannel.  The  other  end  of  the  channel  (on  the  other 
switch)  must  also  be  configured  in  the  on  mode;  otherwise,  packet  loss  can  occur. 

If  a  link  within  an  EtherChannel  fails,  traffic  previously  carried  over  that  failed  link  moves  to  the 
remaining  links  within  the  EtherChannel.  If  traps  are  enabled  on  the  switch,  a  trap  is  sent  for  a  failure 
that  identifies  the  switch,  the  EtherChannel,  and  the  failed  link.  Inbound  broadcast  and  multicast  packets 
on  one  link  in  an  EtherChannel  are  blocked  from  returning  on  any  other  link  of  the  EtherChannel. 
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Port-Channel  Interfaces 


When  you  create  a  Layer  2  EtherChannel,  a  port-channel  logical  interface  is  involved.  You  can  create 
the  EtherChannel  in  these  ways: 

•  Use  the  channel-group  interface  configuration  command.  This  command  automatically  creates  the 
port-channel  logical  interface  when  the  channel  group  gets  its  first  physical  port.  The 
channel-group  command  binds  the  physical  (10/100/1000  ports)  and  the  logical  ports  together  as 
shown  in  Figure  28-2. 

•  Use  the  interface  port-channel  port-channel-number  global  configuration  command  to  manually 
create  the  port-channel  logical  interface.  Then  use  the  channel-group  channel- group-number 
interface  configuration  command  to  bind  the  logical  interface  to  a  physical  port.  The 
channel-group-number  can  be  the  same  as  the  port-channel-number,  or  you  can  use  a  new  number. 
If  you  use  a  new  number,  the  channel-group  command  dynamically  creates  a  new  port  channel. 

Each  EtherChannel  has  a  port-channel  logical  interface  numbered  from  1  to  48.  This  port-channel 
interface  number  corresponds  to  the  one  specified  with  the  channel-group  interface  configuration 
command. 

Figure  28-2        Relationship  of  Physical  Ports,  Logical  Port  Channels,  and  Channel  Groups 


After  you  configure  an  EtherChannel,  configuration  changes  applied  to  the  port-channel  interface  apply 
to  all  the  physical  ports  assigned  to  the  port-channel  interface.  Configuration  changes  applied  to  the 
physical  port  affect  only  the  port  where  you  apply  the  configuration.  To  change  the  parameters  of  all 
ports  in  an  EtherChannel,  apply  configuration  commands  to  the  port-channel  interface,  for  example, 
spanning-tree  commands  or  commands  to  configure  a  Layer  2  EtherChannel  as  a  trunk. 
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Port  Aggregation  Protocol 

The  Port  Aggregation  Protocol  (PAgP)  is  a  Cisco-proprietary  protocol  that  can  be  run  only  on  Cisco 
switches  and  on  those  switches  licensed  by  vendors  to  support  PAgP.  PAgP  facilitates  the  automatic 
creation  of  EtherChannels  by  exchanging  PAgP  packets  between  Ethernet  ports. 

By  using  PAgP,  the  switch  learns  the  identity  of  partners  capable  of  supporting  PAgP  and  the  capabilities 
of  each  port.  It  then  dynamically  groups  similarly  configured  ports  into  a  single  logical  link  (channel  or 
aggregate  port).  Similarly  configured  ports  are  grouped  based  on  hardware,  administrative,  and  port 
parameter  constraints.  For  example,  PAgP  groups  the  ports  with  the  same  speed,  duplex  mode,  native 
VLAN,  VLAN  range,  and  trunking  status  and  type.  After  grouping  the  links  into  an  EtherChannel,  PAgP 
adds  the  group  to  the  spanning  tree  as  a  single  switch  port. 

PAgP  Modes 

Table  28-1  shows  the  user-configurable  EtherChannel  PAgP  modes  for  the  channel-group  interface 
configuration  command. 


Table  28-1 

EtherChannel  PAgP  Modes 

Mode 

Description 

auto 

Places  a  port  into  a  passive  negotiating  state,  in  which  the  port  responds  to  PAgP  packets 
it  receives  but  does  not  start  PAgP  packet  negotiation.  This  setting  minimizes  the 
transmission  of  PAgP  packets. 

desirable 

Places  a  port  into  an  active  negotiating  state,  in  which  the  port  starts  negotiations  with 
other  ports  by  sending  PAgP  packets. 

Switch  ports  exchange  PAgP  packets  only  with  partner  ports  configured  in  the  auto  or  desirable  modes. 
Ports  configured  in  the  on  mode  do  not  exchange  PAgP  packets. 

Both  the  auto  and  desirable  modes  enable  ports  to  negotiate  with  partner  ports  to  form  an  EtherChannel 
based  on  criteria  such  as  port  speed  and,  for  Layer  2  EtherChannels,  trunking  state  and  VLAN  numbers. 

Ports  can  form  an  EtherChannel  when  they  are  in  different  PAgP  modes  as  long  as  the  modes  are 
compatible.  For  example: 

•  A  port  in  the  desirable  mode  can  form  an  EtherChannel  with  another  port  that  is  in  the  desirable  or 
auto  mode. 

•  A  port  in  the  auto  mode  can  form  an  EtherChannel  with  another  port  in  the  desirable  mode. 

A  port  in  the  auto  mode  cannot  form  an  EtherChannel  with  another  port  that  is  also  in  the  auto  mode 
because  neither  port  starts  PAgP  negotiation. 

If  your  switch  is  connected  to  a  partner  that  is  PAgP-capable,  you  can  configure  the  switch  port  for 
nonsilent  operation  by  using  the  non-silent  keyword.  If  you  do  not  specify  non-silent  with  the  auto  or 
desirable  mode,  silent  mode  is  assumed. 

Use  the  silent  mode  when  the  switch  is  connected  to  a  device  that  is  not  PAgP-capable  and  seldom,  if 
ever,  sends  packets.  An  example  of  a  silent  partner  is  a  file  server  or  a  packet  analyzer  that  is  not 
generating  traffic.  In  this  case,  running  PAgP  on  a  physical  port  connected  to  a  silent  partner  prevents 
that  switch  port  from  ever  becoming  operational.  However,  the  silent  setting  allows  PAgP  to  operate,  to 
attach  the  port  to  a  channel  group,  and  to  use  the  port  for  transmission. 
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PAgP  Interaction  with  Other  Features 

The  Dynamic  Trunking  Protocol  (DTP)  and  the  Cisco  Discovery  Protocol  (CDP)  send  and  receive 
packets  over  the  physical  ports  in  the  EtherChannel.  Trunk  ports  send  and  receive  PAgP  protocol  data 
units  (PDUs)  on  the  lowest  numbered  VLAN. 

In  Layer  2  EtherChannels,  the  first  port  in  the  channel  that  comes  up  provides  its  MAC  address  to  the 
EtherChannel.  If  this  port  is  removed  from  the  bundle,  one  of  the  remaining  ports  in  the  bundle  provides 
its  MAC  address  to  the  EtherChannel. PAgP  sends  and  receives  PAgP  PDUs  only  from  ports  that  are  up 
and  have  PAgP  enabled  for  the  auto  or  desirable  mode. 

Link  Aggregation  Control  Protocol 

The  LACP  is  defined  in  IEEE  802. 3ad  and  enables  Cisco  switches  to  manage  Ethernet  channels  between 
switches  that  conform  to  the  IEEE  802. 3ad  protocol.  LACP  facilitates  the  automatic  creation  of 
EtherChannels  by  exchanging  LACP  packets  between  Ethernet  ports. 

By  using  LACP,  the  switch  learns  the  identity  of  partners  capable  of  supporting  LACP  and  the 
capabilities  of  each  port.  It  then  dynamically  groups  similarly  configured  ports  into  a  single  logical  link 
(channel  or  aggregate  port).  Similarly  configured  ports  are  grouped  based  on  hardware,  administrative, 
and  port  parameter  constraints.  For  example,  LACP  groups  the  ports  with  the  same  speed,  duplex  mode, 
native  VLAN,  VLAN  range,  and  trunking  status  and  type.  After  grouping  the  links  into  an  EtherChannel, 
LACP  adds  the  group  to  the  spanning  tree  as  a  single  switch  port. 

LACP  Modes 

Table  28-2  shows  the  user-configurable  EtherChannel  LACP  modes  for  the  channel-group  interface 
configuration  command. 


Table  28-2 

EtherChannel  LACP  Modes 

Mode 

Description 

active 

Places  a  port  into  an  active  negotiating  state  in  which  the  port  starts  negotiations  with  other 
ports  by  sending  LACP  packets. 

passive 

Places  a  port  into  a  passive  negotiating  state  in  which  the  port  responds  to  LACP  packets 
that  it  receives,  but  does  not  start  LACP  packet  negotiation.  This  setting  minimizes  the 
transmission  of  LACP  packets. 

Both  the  active  and  passive  LACP  modes  enable  ports  to  negotiate  with  partner  ports  to  an 
EtherChannel  based  on  criteria  such  as  port  speed  and,  for  Layer  2  EtherChannels,  trunking  state  and 
VLAN  numbers. 

Ports  can  form  an  EtherChannel  when  they  are  in  different  LACP  modes  as  long  as  the  modes  are 
compatible.  For  example: 

•  A  port  in  the  active  mode  can  form  an  EtherChannel  with  another  port  that  is  in  the  active  or  passive 
mode. 

•  A  port  in  the  passive  mode  cannot  form  an  EtherChannel  with  another  port  that  is  also  in  the  passive 
mode  because  neither  port  starts  LACP  negotiation. 
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LACP  Interaction 


with  Other  Features 


The  DTP  and  the  CDP  send  and  receive  packets  over  the  physical  ports  in  the  EtherChannel.  Trunk  ports 
send  and  receive  LACP  PDUs  on  the  lowest  numbered  VLAN. 

In  Layer  2  EtherChannels,  the  first  port  in  the  channel  that  comes  up  provides  its  MAC  address  to  the 
EtherChannel.  If  this  port  is  removed  from  the  bundle,  one  of  the  remaining  ports  in  the  bundle  provides 
its  MAC  address  to  the  EtherChannel. 

LACP  sends  and  receives  LACP  PDUs  only  from  ports  that  are  up  and  have  LACP  enabled  for  the  active 
or  passive  mode. 


EtherChannel  on  mode  can  be  used  to  manually  configure  an  EtherChannel.  The  on  mode  forces  a  port 
to  join  an  EtherChannel  without  negotiations.  The  on  mode  can  be  useful  if  the  remote  device  does  not 
support  PAgP  or  LACP.  In  the  on  mode,  a  usable  EtherChannel  exists  only  when  the  switches  at  both 
ends  of  the  link  are  configured  in  the  on  mode. 

Ports  that  are  configured  in  the  on  mode  in  the  same  channel  group  must  have  compatible  port 
characteristics,  such  as  speed  and  duplex.  Ports  that  are  not  compatible  are  suspended,  even  though  they 
are  configured  in  the  on  mode. 


Caution      You  should  use  care  when  using  the  on  mode.  This  is  a  manual  configuration,  and  ports  on  both  ends  of 
the  EtherChannel  must  have  the  same  configuration.  If  the  group  is  misconfigured,  packet  loss  or 
spanning-tree  loops  can  occur. 


EtherChannel  balances  the  traffic  load  across  the  links  in  a  channel  by  reducing  part  of  the  binary  pattern 
formed  from  the  addresses  in  the  frame  to  a  numerical  value  that  selects  one  of  the  links  in  the  channel. 
EtherChannel  load  balancing  can  use  MAC  addresses  or  IP  addresses,  source  or  destination  addresses, 
or  both  source  and  destination  addresses.  The  selected  mode  applies  to  all  EtherChannels  configured  on 
the  switch.  You  configure  the  load  balancing  and  forwarding  method  by  using  the  port-channel 
load-balance  global  configuration  command. 

With  source-MAC  address  forwarding,  when  packets  are  forwarded  to  an  EtherChannel,  they  are 
distributed  across  the  ports  in  the  channel  based  on  the  source-MAC  address  of  the  incoming  packet. 
Therefore,  to  provide  load  balancing,  packets  from  different  hosts  use  different  ports  in  the  channel,  but 
packets  from  the  same  host  use  the  same  port  in  the  channel. 

With  destination-MAC  address  forwarding,  when  packets  are  forwarded  to  an  EtherChannel,  they  are 
distributed  across  the  ports  in  the  channel  based  on  the  destination  host's  MAC  address  of  the  incoming 
packet.  Therefore,  packets  to  the  same  destination  are  forwarded  over  the  same  port,  and  packets  to  a 
different  destination  are  sent  on  a  different  port  in  the  channel. 

With  source-and-destination  MAC  address  forwarding,  when  packets  are  forwarded  to  an  EtherChannel, 
they  are  distributed  across  the  ports  in  the  channel  based  on  both  the  source  and  destination  MAC 
addresses.  This  forwarding  method,  a  combination  source-MAC  and  destination-MAC  address 
forwarding  methods  of  load  distribution,  can  be  used  if  it  is  not  clear  whether  source-MAC  or 
destination-MAC  address  forwarding  is  better  suited  on  a  particular  switch.  With  source-and-destination 
MAC-address  forwarding,  packets  sent  from  host  A  to  host  B,  host  A  to  host  C,  and  host  C  to  host  B 
could  all  use  different  ports  in  the  channel. 


EtherChannel 


On  Mode 


A 


Load  Balancing  and  Forwarding  Methods 
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With  source-IP  address-based  forwarding,  when  packets  are  forwarded  to  an  EtherChannel,  they  are 
distributed  across  the  ports  in  the  EtherChannel  based  on  the  source-IP  address  of  the  incoming  packet. 
Therefore,  to  provide  load-balancing,  packets  from  different  IP  addresses  use  different  ports  in  the 
channel,  but  packets  from  the  same  IP  address  use  the  same  port  in  the  channel. 

With  destination-IP  address-based  forwarding,  when  packets  are  forwarded  to  an  EtherChannel,  they  are 
distributed  across  the  ports  in  the  EtherChannel  based  on  the  destination-IP  address  of  the  incoming 
packet.  Therefore,  to  provide  load-balancing,  packets  from  the  same  IP  source  address  sent  to  different 
IP  destination  addresses  could  be  sent  on  different  ports  in  the  channel.  But  packets  sent  from  different 
source  IP  addresses  to  the  same  destination  IP  address  are  always  sent  on  the  same  port  in  the  channel. 

With  source-and-destination  IP  address-based  forwarding,  packets  are  sent  to  an  EtherChannel  and 
distributed  across  the  EtherChannel  ports,  based  on  both  the  source  and  destination  IP  addresses  of  the 
incoming  packet.  This  forwarding  method,  a  combination  of  source-IP  and  destination-IP  address-based 
forwarding,  can  be  used  if  it  is  not  clear  whether  source-IP  or  destination-IP  address-based  forwarding 
is  better  suited  on  a  particular  switch.  In  this  method,  packets  sent  from  the  IP  address  A  to  IP  address 
B,  from  IP  address  A  to  IP  address  C,  and  from  IP  address  C  to  IP  address  B  could  all  use  different  ports 
in  the  channel. 

Different  load-balancing  methods  have  different  advantages,  and  the  choice  of  a  particular 
load-balancing  method  should  be  based  on  the  position  of  the  switch  in  the  network  and  the  kind  of 
traffic  that  needs  to  be  load-distributed.  In  Figure  28-3,  an  EtherChannel  from  a  blade  switch  that  is 
aggregating  data  from  sixteen  blade  servers  communicates  with  a  router.  Because  the  router  is  a 
single-MAC-address  device,  source-based  forwarding  on  the  switch  EtherChannel  ensures  that  the 
switch  uses  all  available  bandwidth  to  the  router.  The  router  is  configured  for  destination-based 
forwarding  because  the  large  number  of  workstations  ensures  that  the  traffic  is  evenly  distributed  from 
the  router  EtherChannel. 

Use  the  option  that  provides  the  greatest  variety  in  your  configuration.  For  example,  if  the  traffic  on  a 
channel  is  only  going  to  a  single  MAC  address,  using  the  destination-MAC  address  always  chooses  the 
same  link  in  the  channel.  Using  source  addresses  or  IP  addresses  might  result  in  better  load  balancing. 
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Figure  28-3 
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Configuring  EtherChannels 

These  sections  contain  this  configuration  information: 

•  Default  EtherChannel  Configuration,  page  28-9 

•  EtherChannel  Configuration  Guidelines,  page  28-9 

•  Configuring  Layer  2  EtherChannels,  page  28-10  (required) 

•  Configuring  EtherChannel  Load  Balancing,  page  28-12  (optional) 

•  Configuring  the  PAgP  Learn  Method  and  Priority,  page  28-13  (optional) 

•  Configuring  LACP  Hot-Standby  Ports,  page  28-14  (optional) 

%   

Note      Make  sure  that  the  ports  are  correctly  configured.  For  more  information,  see  the  "EtherChannel 
Configuration  Guidelines"  section  on  page  28-9. 

V   

Note  After  you  configure  an  EtherChannel,  configuration  changes  applied  to  the  port-channel  interface  apply 
to  all  the  physical  ports  assigned  to  the  port-channel  interface,  and  configuration  changes  applied  to  the 
physical  port  affect  only  the  port  where  you  apply  the  configuration. 
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Default  EtherChannel  Configuration 


Table  28-3  shows  the  default  EtherChannel  configuration. 
Table  28-3         Default  EtherChannel  Configuration 


Feature 

Default  Setting 

Channel  groups 

None  assigned. 

Port-channel  logical  interface 

None  defined. 

PAgP  mode 

No  default. 

PAgP  learn  method 

Aggregate-port  learning  on  all  ports. 

PAgP  priority 

128  on  all  ports. 

LACP  mode 

No  default. 

LACP  learn  method 

Aggregate-port  learning  on  all  ports. 

LACP  port  priority 

32768  on  all  ports. 

LACP  system  priority 

32768. 

LACP  system  ID 

LACP  system  priority  and  the  switch  MAC  address. 

Load  balancing 

Load  distribution  on  the  switch  is  based  on  the 
source-MAC  address  of  the  incoming  packet. 

EtherChannel  Configuration  Guidelines 

If  improperly  configured,  some  EtherChannel  ports  are  automatically  disabled  to  avoid  network  loops 
and  other  problems.  Follow  these  guidelines  to  avoid  configuration  problems: 

•  Do  not  try  to  configure  more  than  48  EtherChannels  on  the  switch. 

•  Configure  a  PAgP  EtherChannel  with  up  to  eight  Ethernet  ports  of  the  same  type. 

•  Configure  a  LACP  EtherChannel  with  up  to  16  Ethernet  ports  of  the  same  type.  Up  to  eight  ports  can 
be  active,  and  up  to  eight  ports  can  be  in  standby  mode. 

•  Configure  all  ports  in  an  EtherChannel  to  operate  at  the  same  speeds  and  duplex  modes. 

•  Enable  all  ports  in  an  EtherChannel.  A  port  in  an  EtherChannel  that  is  disabled  by  using  the 
shutdown  interface  configuration  command  is  treated  as  a  link  failure,  and  its  traffic  is  transferred 
to  one  of  the  remaining  ports  in  the  EtherChannel. 

•  When  a  group  is  first  created,  all  ports  follow  the  parameters  set  for  the  first  port  to  be  added  to  the 
group.  If  you  change  the  configuration  of  one  of  these  parameters,  you  must  also  make  the  changes 
to  all  ports  in  the  group: 

-  Allowed- VLAN  list 

-  Spanning-tree  path  cost  for  each  VLAN 

-  Spanning-tree  port  priority  for  each  VLAN 

-  Spanning-tree  Port  Fast  setting 

•  Do  not  configure  a  port  to  be  a  member  of  more  than  one  EtherChannel  group. 
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•  Do  not  configure  an  EtherChannel  in  both  the  PAgP  and  LACP  modes.  EtherChannel  groups 
running  PAgP  and  LACP  can  coexist  on  the  same  switch.  Individual  EtherChannel  groups  can  run 
either  PAgP  or  LACP,  but  they  cannot  interoperate. 

•  Do  not  configure  a  Switched  Port  Analyzer  (SPAN)  destination  port  as  part  of  an  EtherChannel. 

•  Do  not  configure  a  secure  port  as  part  of  an  EtherChannel  or  the  reverse. 

•  Do  not  configure  a  port  that  is  an  active  or  a  not-yet-active  member  of  an  EtherChannel  as  an 
IEEE  802.  lx  port.  If  you  try  to  enable  IEEE  802.  lx  on  an  EtherChannel  port,  an  error  message 
appears,  and  IEEE  802.  lx  is  not  enabled. 

•  If  EtherChannels  are  configured  on  switch  interfaces,  remove  the  EtherChannel  configuration  from 
the  interfaces  before  globally  enabling  IEEE  802. lx  on  a  switch  by  using  the  dotlx 
system-auth-control  global  configuration  command. 

•  For  Layer  2  EtherChannels: 

-  Assign  all  ports  in  the  EtherChannel  to  the  same  VLAN,  or  configure  them  as  trunks.  Ports  with 
different  native  VLANs  cannot  form  an  EtherChannel. 

-  If  you  configure  an  EtherChannel  from  trunk  ports,  verify  that  the  trunking  mode  (ISL  or 
IEEE  802. 1Q)  is  the  same  on  all  the  trunks.  Inconsistent  trunk  modes  on  EtherChannel  ports  can 
have  unexpected  results. 

-  An  EtherChannel  supports  the  same  allowed  range  of  VLANs  on  all  the  ports  in  a  trunking 
Layer  2  EtherChannel.  If  the  allowed  range  of  VLANs  is  not  the  same,  the  ports  do  not  form  an 
EtherChannel  even  when  PAgP  is  set  to  the  auto  or  desirable  mode. 

-  Ports  with  different  spanning-tree  path  costs  can  form  an  EtherChannel  if  they  are  otherwise 
compatibly  configured.  Setting  different  spanning-tree  path  costs  does  not,  by  itself,  make  ports 
incompatible  for  the  formation  of  an  EtherChannel. 


Configuring  Layer  2  EtherChannels 

You  configure  Layer  2  EtherChannels  by  assigning  ports  to  a  channel  group  with  the  channel-group 
interface  configuration  command.  This  command  automatically  creates  the  port-channel  logical 
interface. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  assign  a  Layer  2  Ethernet  port  to  a  Layer  2 
EtherChannel.  This  procedure  is  required. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  a  physical  port,  and  enter  interface  configuration  mode. 
Valid  interfaces  include  physical  ports. 

For  a  PAgP  EtherChannel,  you  can  configure  up  to  eight  ports  of 
the  same  type  and  speed  for  the  same  group. 

For  a  LACP  EtherChannel,  you  can  configure  up  to  16  Ethernet 
ports  of  the  same  type.  Up  to  eight  ports  can  be  active,  and  up  to 
eight  ports  can  be  in  standby  mode. 
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Command 


Purpose 


Step  3     switchport  mode  {access  I  trunk} 
switchport  access  vlan  vlan-id 


Assign  all  ports  as  static-access  ports  in  the  same  VLAN,  or 
configure  them  as  trunks. 

If  you  configure  the  port  as  a  static-access  port,  assign  it  to  only 
one  VLAN.  The  range  is  1  to  4094. 


Step  4     channel-group  channel-group-number  mode 

{auto  [non-silent]  I  desirable  [non-silent]  I  on)  I 
{active  I  passive] 


Assign  the  port  to  a  channel  group,  and  specify  the  PAgP  or  the 
LACP  mode. 

For  channel-group-number,  the  range  is  1  to  48. 
For  mode,  select  one  of  these  keywords: 

•  auto — Enables  PAgP  only  if  a  PAgP  device  is  detected.  It 
places  the  port  into  a  passive  negotiating  state,  in  which  the 
port  responds  to  PAgP  packets  it  receives  but  does  not  start 
PAgP  packet  negotiation. 

•  desirable — Unconditionally  enables  PAgP.  It  places  the 
port  into  an  active  negotiating  state,  in  which  the  port  starts 
negotiations  with  other  ports  by  sending  PAgP  packets. 

•  on — Forces  the  port  to  channel  without  PAgP  or  LACP.  In 
the  on  mode,  an  EtherChannel  exists  only  when  a  port  group 
in  the  on  mode  is  connected  to  another  port  group  in  the  on 
mode. 

•  non-silent — (Optional)  If  your  switch  is  connected  to  a 
partner  that  is  PAgP-capable,  configure  the  switch  port  for 
nonsilent  operation  when  the  port  is  in  the  auto  or  desirable 
mode.  If  you  do  not  specify  non-silent,  silent  is  assumed. 
The  silent  setting  is  for  connections  to  file  servers  or  packet 
analyzers.  This  setting  allows  PAgP  to  operate,  to  attach  the 
port  to  a  channel  group,  and  to  use  the  port  for  transmission. 

•  active — Enables  LACP  only  if  a  LACP  device  is  detected.  It 
places  the  port  into  an  active  negotiating  state  in  which  the 
port  starts  negotiations  with  other  ports  by  sending  LACP 
packets. 

•  passive — Enables  LACP  on  the  port  and  places  it  into  a 
passive  negotiating  state  in  which  the  port  responds  to  LACP 
packets  that  it  receives,  but  does  not  start  LACP  packet 
negotiation. 

For  information  on  compatible  modes  for  the  switch  and  its 
partner,  see  the  "PAgP  Modes"  section  on  page  28-4  and  the 
"LACP  Modes"  section  on  page  28-5. 


Step  5  end 


Return  to  privileged  EXEC  mode. 


Step  6     show  running-config 

Step  7     copy  running-config  startup-config 


Verify  your  entries. 

(Optional)  Save  your  entries  in  the  configuration  file. 


To  remove  a  port  from  the  EtherChannel  group,  use  the  no  channel-group  interface  configuration 
command. 
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This  example  shows  how  to  configure  an  EtherChannel.  It  assigns  two  ports  as  static-access  ports  in 
VLAN  10  to  channel  5  with  the  PAgP  mode  desirable: 

Switch#  configure  terminal 

Switch (config) #  interface  range  gigabitethernetO/1  -2 

Switch (conf ig-if-range) #  switchport  mode  access 
Switch (conf ig-if-range) #  switchport  access  vlan  10 

Switch (conf ig-if-range) #  channel-group  5  mode  desirable  non-silent 

Switch ( conf ig-if-range ) #  end 

This  example  shows  how  to  configure  an  EtherChannel.  It  assigns  two  ports  as  static-access  ports  in 
VLAN  10  to  channel  5  with  the  LACP  mode  active: 

Switch#  configure  terminal 

Switch (conf ig) #  interface  range  gigabitethernetO/1  -2 

Switch (conf ig-if-range) #  switchport  mode  access 
Switch (conf ig-if-range) #  switchport  access  vlan  10 
Switch ( conf ig-if-range ) #  channel-group  5  mode  active 

Switch ( conf ig-if-range ) #  end 

Configuring  EtherChannel  Load  Balancing 

This  section  describes  how  to  configure  EtherChannel  load  balancing  by  using  source-based  or 
destination-based  forwarding  methods.  For  more  information,  see  the  "Load  Balancing  and  Forwarding 
Methods"  section  on  page  28-6. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  EtherChannel  load  balancing.  This 
procedure  is  optional. 


Command 

Purpose 

Step  1 

configure  terminal 

Enter  global  configuration  mode. 

Step  2 

port-channel  load-balance  {dst-ip  I  dst-mac  I 
src-dst-ip  I  src-dst-mac  I  src-ip  I  src-mac} 

Configure  an  EtherChannel  load-balancing  method. 
The  default  is  src-mac. 

Select  one  of  these  load-distribution  methods: 

• 

dst-ip — Load  distribution  is  based  on  the  destination-host  IP 
address. 

• 

dst-mac — Load  distribution  is  based  on  the  destination-host 
MAC  address  of  the  incoming  packet. 

• 

src-dst-ip — Load  distribution  is  based  on  the 
source-and-destination  host-IP  address. 

• 

src-dst-mac — Load  distribution  is  based  on  the 
source-and-destination  host-MAC  address. 

• 

src-ip — Load  distribution  is  based  on  the  source-host  IP 
address. 

• 

src-mac — Load  distribution  is  based  on  the  source-MAC 
address  of  the  incoming  packet. 

Step  3 

end 

Return  to  privileged  EXEC  mode. 
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Command 

Purpose 

Step  4 

show  etherchannel  load-balance 

Verify  your  entries. 

Step  5 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  EtherChannel  load  balancing  to  the  default  configuration,  use  the  no  port-channel 
load-balance  global  configuration  command. 


Configuring  the  PAgP  Learn  Method  and  Priority 

Network  devices  are  classified  as  PAgP  physical  learners  or  aggregate-port  learners.  A  device  is  a 
physical  learner  if  it  learns  addresses  by  physical  ports  and  directs  transmissions  based  on  that 
knowledge.  A  device  is  an  aggregate-port  learner  if  it  learns  addresses  by  aggregate  (logical)  ports.  The 
learn  method  must  be  configured  the  same  at  both  ends  of  the  link. 

When  a  device  and  its  partner  are  both  aggregate-port  learners,  they  learn  the  address  on  the  logical 
port-channel.  The  device  sends  packets  to  the  source  by  using  any  of  the  ports  in  the  EtherChannel.  With 
aggregate-port  learning,  it  is  not  important  on  which  physical  port  the  packet  arrives. 

PAgP  cannot  automatically  detect  when  the  partner  device  is  a  physical  learner  and  when  the  local 
device  is  an  aggregate-port  learner.  Therefore,  you  must  manually  set  the  learning  method  on  the  local 
device  to  learn  addresses  by  physical  ports.  You  also  must  set  the  load-distribution  method  to 
source-based  distribution,  so  that  any  given  source  MAC  address  is  always  sent  on  the  same  physical 
port. 

You  also  can  configure  a  single  port  within  the  group  for  all  transmissions  and  use  other  ports  for  hot 
standby.  The  unused  ports  in  the  group  can  be  swapped  into  operation  in  just  a  few  seconds  if  the  selected 
single  port  loses  hardware- signal  detection.  You  can  configure  which  port  is  always  selected  for  packet 
transmission  by  changing  its  priority  with  the  pagp  port-priority  interface  configuration  command.  The 
higher  the  priority,  the  more  likely  that  the  port  will  be  selected. 

N   

Note      The  switch  supports  address  learning  only  on  aggregate  ports  even  though  the  physical-port  keyword 
is  provided  in  the  CLI.  The  pagp  learn-method  command  and  the  pagp  port-priority  command  have 
no  effect  on  the  switch  hardware,  but  they  are  required  for  PAgP  interoperability  with  devices  that  only 
support  address  learning  by  physical  ports. 

When  the  link  partner  of  the  blade  switch  is  a  physical  learner  (such  as  a  Catalyst  1900  series  switch), 
we  recommend  that  you  configure  the  blade  switch  as  a  physical-port  learner  by  using  the  pagp 
learn-method  physical-port  interface  configuration  command.  Set  the  load-distribution  method  based 
on  the  source  MAC  address  by  using  the  port-channel  load-balance  src-mac  global  configuration 
command.  The  switch  then  sends  packets  to  the  Catalyst  1900  switch  using  the  same  port  in  the 
EtherChannel  from  which  it  learned  the  source  address.  Only  use  the  pagp  learn-method  command  in 
this  situation. 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  j 


28-13 


H Configuring  EtherChannels 


Chapter  28     Configuring  EtherChannels  and  Layer  2  Trunk  Failover  | 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  your  switch  as  a  PAgP 
physical-port  learner  and  to  adjust  the  priority  so  that  the  same  port  in  the  bundle  is  selected  for  sending 
packets.  This  procedure  is  optional. 


Step  1 
Step  2 

Step  3 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  for  transmission,  and  enter  interface 
configuration  mode. 

pagp  learn-method  physical-port 

Select  the  PAgP  learning  method. 

By  default,  aggregation-port  learning  is  selected,  which  means 
the  switch  sends  packets  to  the  source  by  using  any  of  the  ports 
in  the  EtherChannel.  With  aggregate-port  learning,  it  is  not 
important  on  which  physical  port  the  packet  arrives. 

Select  physical-port  to  connect  with  another  switch  that  is  a 
physical  learner.  Make  sure  to  configure  the  port-channel 
load-balance  global  configuration  command  to  src-mac  as 

described  in  the  "Configuring  EtherChannel  Load  Balancing" 
section  on  page  28-12. 

The  learning  method  must  be  configured  the  same  at  both  ends 
of  the  link. 

pagp  port-priority  priority 

Assign  a  priority  so  that  the  selected  port  is  chosen  for  packet 

Ll  llllillltl.I.llWll. 

For  priority,  the  range  is  0  to  255.  The  default  is  128.  The  higher 
the  priority,  the  more  likely  that  the  port  will  be  used  for  PAgP 
transmission. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

or 

show  pagp  channel- group-number  internal 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  4 


Step  5 
Step  6 


Step  7 


To  return  the  priority  to  its  default  setting,  use  the  no  pagp  port-priority  interface  configuration 
command.  To  return  the  learning  method  to  its  default  setting,  use  the  no  pagp  learn-method  interface 
configuration  command. 


Configuring  LACP  Hot-Standby  Ports 

When  enabled,  LACP  tries  to  configure  the  maximum  number  of  LACP-compatible  ports  in  a  channel, 
up  to  a  maximum  of  16  ports.  Only  eight  LACP  links  can  be  active  at  one  time.  The  software  places  any 
additional  links  in  a  hot-standby  mode.  If  one  of  the  active  links  becomes  inactive,  a  link  that  is  in  the 
hot-standby  mode  becomes  active  in  its  place. 
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If  you  configure  more  than  eight  links  for  an  EtherChannel  group,  the  software  automatically  decides 
which  of  the  hot-standby  ports  to  make  active  based  on  the  LACP  priority.  To  every  link  between 
systems  that  operate  LACP,  the  software  assigns  a  unique  priority  made  up  of  these  elements  (in  priority 
order): 

•  LACP  system  priority 

•  System  ID  (the  switch  MAC  address) 

•  LACP  port  priority 

•  Port  number 

In  priority  comparisons,  numerically  lower  values  have  higher  priority.  The  priority  decides  which  ports 
should  be  put  in  standby  mode  when  there  is  a  hardware  limitation  that  prevents  all  compatible  ports 
from  aggregating. 

Determining  which  ports  are  active  and  which  are  hot  standby  is  a  two-step  procedure.  First  the  system 
with  a  numerically  lower  system  priority  and  system-id  is  placed  in  charge  of  the  decision.  Next,  that 
system  decides  which  ports  are  active  and  which  are  hot  standby,  based  on  its  values  for  port  priority 
and  port  number.  The  port-priority  and  port-number  values  for  the  other  system  are  not  used. 

You  can  change  the  default  values  of  the  LACP  system  priority  and  the  LACP  port  priority  to  affect  how 
the  software  selects  active  and  standby  links.  For  more  information,  see  the  "Configuring  the  LACP 
System  Priority"  section  on  page  28-15  and  the  "Configuring  the  LACP  Port  Priority"  section  on 
page  28-16. 


Configuring  the  LACP  System  Priority 


You  can  configure  the  system  priority  for  all  the  EtherChannels  that  are  enabled  for  LACP  by  using  the 
lacp  system-priority  global  configuration  command.  You  cannot  configure  a  system  priority  for  each 
LACP-configured  channel.  By  changing  this  value  from  the  default,  you  can  affect  how  the  software 
selects  active  and  standby  links. 

You  can  use  the  show  etherchannel  summary  privileged  EXEC  command  to  see  which  ports  are  in  the 
hot-standby  mode  (denoted  with  an  H  port-state  flag). 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  LACP  system  priority.  This 
procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

lacp  system-priority  priority 

Configure  the  LACP  system  priority. 

For  priority,  the  range  is  1  to  65535.  The  default  is  32768. 

The  lower  the  value,  the  higher  the  system  priority. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

or 

show  lacp  sys-id 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  3 
Step  4 


Step  5 


To  return  the  LACP  system  priority  to  the  default  value,  use  the  no  lacp  system-priority  global 
configuration  command. 
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Configuring  the  LACP  Port  Priority 

By  default,  all  ports  use  the  same  port  priority.  If  the  local  system  has  a  lower  value  for  the  system 
priority  and  the  system  ID  than  the  remote  system,  you  can  affect  which  of  the  hot- standby  links  become 
active  first  by  changing  the  port  priority  of  LACP  EtherChannel  ports  to  a  lower  value  than  the  default. 
The  hot-standby  ports  that  have  lower  port  numbers  become  active  in  the  channel  first.  You  can  use  the 
show  etherchannel  summary  privileged  EXEC  command  to  see  which  ports  are  in  the  hot-standby 
mode  (denoted  with  an  H  port-state  flag). 

N   

Note      If  LACP  is  not  able  to  aggregate  all  the  ports  that  are  compatible  (for  example,  the  remote  system  might 
have  more  restrictive  hardware  limitations),  all  the  ports  that  cannot  be  actively  included  in  the 
EtherChannel  are  put  in  the  hot-standby  state  and  are  used  only  if  one  of  the  channeled  ports  fails. 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  the  LACP  port  priority.  This 
procedure  is  optional. 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

interface  interface-id 

Specify  the  port  to  be  configured,  and  enter  interface  configuration 
mode. 

lacp  port-priority  priority 

Configure  the  LACP  port  priority. 

For  priority,  the  range  is  1  to  65535.  The  default  is  32768.  The  lower  the 
value,  the  more  likely  that  the  port  will  be  used  for  LACP  transmission. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

or 

show  lacp  [channel-group-number] 
internal 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

To  return  the  LACP  port  priority  to  the  default  value,  use  the  no  lacp  port-priority  interface 
configuration  command. 
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Displaying  EtherChannel,  PAgP,  and  LACP  Status 

To  display  EtherChannel,  PAgP,  and  LACP  status  information,  use  the  privileged  EXEC  commands 
described  in  Table  28-4: 


Table  28-4  Commands  for  Displaying  EtherChannel,  PAgP,  and  LACP  Status 


Command 

Description 

show  etherchannel  [channel-group-number  {detail  1 
port  1  port-channel  1  protocol  1  summary}]  {detail  1 
load-balance  1  port  1  port-channel  1  protocol  1 
summary} 

Displays  EtherChannel  information  in  a  brief,  detailed,  and 
one-line  summary  form.  Also  displays  the  load-balance  or 
frame-distribution  scheme,  port,  port-channel,  and  protocol 
information. 

show  pagp  [channel-group-number]  {counters  1 
internal  1  neighbor) 

Displays  PAgP  information  such  as  traffic  information,  the 
internal  PAgP  configuration,  and  neighbor  information. 

show  lacp  [channel-group-number]  {counters  1 
internal  1  neighbor) 

Displays  LACP  information  such  as  traffic  information,  the 
internal  LACP  configuration,  and  neighbor  information. 

You  can  clear  PAgP  channel-group  information  and  traffic  counters  by  using  the  clear  pagp 
{channel-group-number  counters  I  counters)  privileged  EXEC  command. 

You  can  clear  LACP  channel-group  information  and  traffic  counters  by  using  the  clear  lacp 
{channel-group-number  counters  I  counters)  privileged  EXEC  command. 

For  detailed  information  about  the  fields  in  the  displays,  see  the  command  reference  for  this  release. 

Understanding  Layer  2  Trunk  Failover 

Layer  2  trunk  failover,  also  known  as  link-state  tracking,  is  a  feature  that  provides  Layer  2  redundancy 
in  the  network  when  used  with  server  NIC  adapter  teaming.  When  the  server  network  adapters  are 
configured  in  a  primary  or  secondary  relationship  known  as  teaming,  if  the  link  is  lost  on  the  primary 
interface,  connectivity  is  transparently  switched  to  the  secondary  interface. 

When  you  enable  Layer  2  trunk  failover  on  the  switch,  the  link  state  of  the  internal  downstream  ports 
are  bound  to  the  link  state  of  one  or  more  of  the  external  upstream  ports.  An  internal  downstream  port 
is  an  interface  that  is  connected  to  the  server.  An  external  upstream  port  is  an  interface  that  is  connected 
to  the  external  network.  When  you  associate  a  set  of  downstream  ports  to  a  set  of  upstream  ports,  if  all 
of  the  upstream  ports  become  unavailable,  trunk  failover  automatically  puts  all  of  the  associated 
downstream  ports  in  an  error-disabled  state.  This  causes  the  server  primary  interface  to  failover  to  the 
secondary  interface. 

When  Layer  2  trunk  failover  is  not  enabled,  if  the  upstream  interfaces  lose  connectivity,  (the  external 
switch  or  router  goes  down,  the  cables  are  disconnected,  or  link  is  lost),  the  link  state  of  the  downstream 
interfaces  remain  unchanged.  The  server  is  not  aware  that  external  connectivity  has  been  lost  and  does 
not  failover  to  the  secondary  interface. 

An  interface  can  be  an  aggregation  of  ports  (an  EtherChannel),  or  a  single  physical  port  in  access  or  trunk 
mode.  Each  downstream  interface  can  be  associated  with  one  or  more  upstream  interfaces.  Upstream 
interfaces  can  be  bundled  together,  and  each  downstream  interface  can  be  associated  with  a  single  group 
consisting  of  multiple  upstream  interfaces.  These  groups  are  referred  to  as  link-state  groups. 
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In  a  link-state  group,  the  link  states  of  the  downstream  interfaces  are  dependent  on  the  link  states  of  the 
upstream  interfaces.  If  all  of  the  upstream  interfaces  in  a  link-state  group  are  in  the  link-down  state,  the 
associated  downstream  interfaces  are  forced  into  the  link-down  state.  If  any  one  of  the  upstream 
interfaces  in  the  link-state  group  is  in  a  link-up  state,  the  associated  downstream  interfaces  can  change 
to  or  remain  in  the  link-up  state. 


Figure  28-4 


Typical  Layer  2  Trunk  Failover  Configuration 


uownsiream  inierrace  i 
Downstream  interface  2 
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BladeCenter 


For  example 
Catalyst  3550  Switch 


In  Figure  28-4,  downstream  interfaces  1,  3,  and  5  are  defined  in  link-state  group  1  with  upstream 
interfaces  19  and  20.  Similarly,  downstream  interfaces  2,  4,  and  6  are  defined  in  link-state  group  2  with 
upstream  interfaces  21  and  22. 

If  link  is  lost  on  upstream  interface  19,  the  link  states  of  downstream  interfaces  1,3,  and  5  do  not  change. 
If  upstream  interface  20  also  loses  link,  downstream  interfaces  1,  3  and  5  go  into  a  link-down  state. 
Downstream  interfaces  2,  4,  and  6  do  not  change  states. 

You  can  recover  a  downstream  interface  link-down  condition  by  removing  the  failed  downstream  port 
from  the  link-state  group.  To  recover  multiple  downstream  interfaces,  disable  the  link-state  group. 


Configuring  Layer  2  Trunk  Failover 

These  sections  describe  how  to  configure  trunk  failover  ports: 

•  Default  Layer  2  Trunk  Failover  Configuration,  page  28-18 

•  Layer  2  Trunk  Failover  Configuration  Guidelines,  page  28-19 

•  Configuring  Layer  2  Trunk  Failover,  page  28-19 

Default  Layer  2  Trunk  Failover  Configuration 

There  are  no  link-state  groups  defined,  and  trunk  failover  is  not  enabled  for  any  group. 
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Layer  2  Trunk  Failover  Configuration  Guidelines 


Follow  these  guidelines  to  avoid  configuration  problems: 

•  Do  not  configure  a  cross-connect  interface  (giO/17  or  giO/18)  as  a  member  of  a  link-state 
group. 

•  Do  not  configure  an  EtherChannel  as  a  downstream  interface. 

•  Only  interfaces  giO/1  through  giO/16  can  be  configured  as  downstream  ports  in  a  specific  link-state 
group. 

•  Only  interfaces  giO/19  through  giO/24  can  be  configured  as  upstream  ports  in  a  specific  link- state 
group. 

•  An  interface  that  is  defined  as  an  upstream  interface  cannot  also  be  defined  as  a  downstream 
interface  in  the  same  or  a  different  link-state  group.  The  reverse  is  also  true. 

•  An  interface  cannot  be  a  member  of  more  than  one  link-state  group. 

•  You  can  configure  only  two  link-state  groups  per  switch. 


Configuring  Layer  2  Trunk  Failover 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  configure  a  link-state  group  and  to  assign  an 
interface  to  a  group: 


Command 

Purpose 

configure  terminal 

Enter  global  configuration  mode. 

link  state  track  number 

Create  a  link-state  group,  and  enable  link-state  tracking.  The 
group  number  can  be  1  or  2;  the  default  is  1. 

interface  interface-id 

Specify  a  physical  interface  or  range  of  interfaces  to  configure, 
and  enter  interface  configuration  mode. 

Valid  interfaces  include  physical  ports  in  access  or  trunk  mode 
(IEEE  802.  lq)  or  multiple  physical  ports  bundled  into  an 
EtherChannel  interface  (static  or  LACP),  also  in  trunk  mode. 

link  state  group  [number]  {upstream  1 
downstream} 

Specify  a  link-state  group,  and  configure  the  interface  as  either 
an  upstream  or  downstream  interface  in  the  group. 

end 

Return  to  privileged  EXEC  mode. 

show  running-config 

Verify  your  entries. 

copy  running-config  startup-config 

(Optional)  Save  your  entries  in  the  configuration  file. 

Step  1 
Step  2 

Step  3 


Step  4 

Step  5 
Step  6 
Step  7 


This  example  shows  how  to  create  a  link-state  group  and  configure  the  interfaces: 

Switch#  configure  terminal 

Switch (config) #  link  state  track  1 

Switch (config) #  interface  range  gigabitethernetO/21  -  22 
Switch (config-if) #  link  state  group  1  upstream 
Switch (config-if) #  interface  gigabitethernetO/1 
Switch (config-if ) #  link  state  group  1  downstream 
Switch ( config-if ) #  interface  gigabitethernetO/3 
Switch ( config-if ) #  link  state  group  1  downstream 
Switch ( config-if ) #  interface  gigabitethernetO/5 
Switch (config-if ) #  link  state  group  1  downstream 
Switch (config-if ) #  end 
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X   

Note      If  the  interfaces  are  part  of  an  EtherChannel,  you  must  specify  the  port  channel  name  as  part  of  the 
link-state  group,  not  the  individual  port  members. 


This  example  shows  how  to  create  a  link- state  group  using  ports  in  an  EtherChannel: 

Switch*  configure  terminal 

Switch (config) #  link  state  track  1 
Switch (config) #  interface  P01 

Switch (config-if) #  link  state  group  1  upstream 

Switch (conf ig-if-range) #  interface  range  gigabitethernetO/1,  gigabitethernetO/3, 
gigabitethernetO/5 

Switch (conf ig-if) #  link  state  group  1  downstream 

Switch (conf ig-if) #  end 

To  disable  a  link-state  group,  use  the  no  link  state  track  number  global  configuration  command. 

Displaying  Layer  2  Trunk  Failover  Status 

Use  the  show  link  state  group  command  to  display  the  link-state  group  information.  Enter  this 
command  without  keywords  to  display  information  about  all  link-state  groups.  Enter  the  group  number 
to  display  information  specific  to  the  group.  Enter  the  detail  keyword  to  display  detailed  information 
about  the  group. 

This  is  an  example  of  output  from  the  show  link  state  group  1  command: 

Switch>  show  link  state  group  1 

Link  State  Group:    1  Status:   Enabled,  Up 

This  is  an  example  of  output  from  the  show  link  state  group  detail  command: 

Switch>  show  link  state  group  detail 

Link  State  Group:   1  Status:   Enabled,  Up 

Upstream  Interfaces       :   Pol (Up) 

Downstream  Interfaces   :   GiO/3(Up)  GiO/4(Up) 

Link  State  Group:   2  Status:   Disabled,  Down 

Upstream  Interfaces  : 
Downstream  Interfaces  : 

(Up) : Interface  up       (Dwn) : Interface  Down       (Dis ): Interface  disabled 

For  detailed  information  about  the  fields  in  the  display,  see  the  command  reference  for  this  release. 
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Troubleshooting 


CHAPTER 


This  chapter  describes  how  to  identify  and  resolve  software  problems  related  to  the  Cisco  IOS  software 
on  the  switch.  Depending  on  the  nature  of  the  problem,  you  can  use  the  command-line  interface  (CLI) 
or  the  device  manager  to  identify  and  solve  problems. 

Additional  troubleshooting  information,  such  as  LED  descriptions,  is  provided  in  the  hardware 
installation  guide. 

V   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  command 
reference  for  this  release  and  the  Cisco  IOS  Command  Summary,  Release  12.2. 

This  chapter  consists  of  these  sections: 

•  Recovering  from  a  Software  Failure,  page  29-2 

•  Recovering  from  a  Lost  or  Forgotten  Password,  page  29-3 

•  Recovering  from  a  Command  Switch  Failure,  page  29-8 

•  Recovering  from  Lost  Cluster  Member  Connectivity,  page  29-1 1 

X   

Note     Recovery  procedures  require  that  you  have  physical  access  to  the  switch. 

•  Preventing  Autonegotiation  Mismatches,  page  29-1 1 

•  SFP  Module  Security  and  Identification,  page  29-12 

•  Monitoring  SFP  Module  Status,  page  29-12 

•  Using  Ping,  page  29-13 

•  Using  Layer  2  Traceroute,  page  29-14 

•  Using  IP  Traceroute,  page  29-16 

•  Using  TDR,  page  29-18 

•  Using  Debug  Commands,  page  29-18 

•  Using  the  show  platform  forward  Command,  page  29-20 

•  Using  the  crashinfo  Files,  page  29-22 
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Recovering  from  a  Software  Failure 

Switch  software  can  be  corrupted  during  an  upgrade,  by  downloading  the  wrong  file  to  the  switch,  and 
by  deleting  the  image  file.  In  all  of  these  cases,  the  switch  does  not  pass  the  power-on  self-test  (POST), 
and  there  is  no  connectivity. 

This  procedure  uses  the  Xmodem  Protocol  to  recover  from  a  corrupt  or  wrong  image  file.  There  are  many 
software  packages  that  support  the  Xmodem  Protocol,  and  this  procedure  is  largely  dependent  on  the 
emulation  software  that  you  are  using. 

This  recovery  procedure  requires  that  you  have  physical  access  to  the  switch. 
Follow  these  steps  to  recover  from  a  corrupt  or  wrong  image  file: 

Step  1      From  your  PC,  download  the  software  image  tar  file  (image  Jilename.tar)  from  Cisco.com. 

The  Cisco  10S  image  is  stored  as  a  bin  file  in  a  directory  in  the  tar  file.  For  information  about  locating 
the  software  image  files  on  Cisco.com,  see  the  release  notes. 

Step  2      Extract  the  bin  file  from  the  tar  file. 

•  If  you  are  using  Windows,  use  a  zip  program  that  can  read  a  tar  file.  Use  the  zip  program  to  navigate 
to  and  extract  the  bin  file. 

•  If  you  are  using  UNIX,  follow  these  steps: 

1.  Display  the  contents  of  the  tar  file  by  using  the  tar  -tvf  <image filename.  tar>  UNIX  command. 

unix%  tar  -tvf  image_filename . tar 

2.  Locate  the  bin  file,  and  extract  it  by  using  the  tar  -xvf  <image _Jilename.tar> 
<image filename. bin>  UNIX  command. 

hostname%  tar  -xvf  image_f ilename . tar  image_filename.bin 

x  cgesm-i612-mz . 122 . 25-SE/cgesm-i612-mz . 122 . 25-SE.bin,   2928176  bytes,    5720  tape 
blocks 

3.  Verify  that  the  bin  file  was  extracted  by  using  the  Is  -1  <image_filename.bin>  UNIX  command. 

switch%  Is  -1  image_filename.bin 

-rw-r— r—       1  boba  2928176  Apr  21  12:01 

cgesm-i612-mz . 122 . 2  5-SE/cgesm-i612-mz .122 .2  5-SE.bin 

Step  3      Connect  your  PC  with  terminal-emulation  software  supporting  the  Xmodem  Protocol  to  the  switch 
console  port. 

Step  4      Set  the  line  speed  on  the  emulation  software  to  9600  baud. 

Step  5      Use  a  pointed  device,  such  as  a  ballpoint  pen,  to  press  the  Pwr/Rst  button  on  the  front  panel  of  the 
switch. 

Step  6      Press  the  Mode  button  and  at  the  same  time,  reconnect  the  power  cord  to  the  switch. 

You  can  release  the  Mode  button  a  second  or  two  after  the  LED  above  port  1  goes  off.  Several  lines  of 
information  about  the  software  appear  along  with  instructions: 

The  system  has  been  interrupted  prior  to  initializing  the  flash  file  system.  The  following 
commands  will  initialize  the  flash  file  system,   and  finish  loading  the  operating  system 
sof tware# 

f lash_init 
load_helper 
boot 
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X   

Note      Initialize  the  flash  file  system: 

switch:  flashinit 

Step  7      If  you  had  set  the  console  port  speed  to  anything  other  than  9600,  it  has  been  reset  to  that  particular 
speed.  Change  the  emulation  software  line  speed  to  match  that  of  the  switch  console  port. 

Step  8      Load  any  helper  files: 

switch:  load_helper 

Step  9      Start  the  file  transfer  by  using  the  Xmodem  Protocol. 

switch:   copy  xmodem:   flash: image_filename.bin 

Step  10    After  the  Xmodem  request  appears,  use  the  appropriate  command  on  the  terminal-emulation  software  to 
start  the  transfer  and  to  copy  the  software  image  into  flash  memory. 

Step  11     Boot  up  the  newly  downloaded  Cisco  IOS  image. 

switch : boot  flash:  image_  filename  .bin 

Step  12     Use  the  archive  download-sw  privileged  EXEC  command  to  download  the  software  image  to  the  switch 

Step  13     Use  the  reload  privileged  EXEC  command  to  restart  the  switch  and  to  verify  that  the  new  software 
image  is  operating  properly. 

Step  14    Delete  the  flash'.image^ilename.bin  file  from  the  switch. 


Recovering  from  a  Lost  or  Forgotten  Password 

The  default  configuration  for  the  switch  allows  an  end  user  with  physical  access  to  the  switch  to  recover 
from  a  lost  password  by  interrupting  the  bootup  process  during  power-on  and  by  entering  a  new 
password.  These  recovery  procedures  require  that  you  have  physical  access  to  the  switch. 

X   

Note      On  these  switches,  a  system  administrator  can  disable  some  of  the  functionality  of  this  feature  by 

allowing  an  end  user  to  reset  a  password  only  by  agreeing  to  return  to  the  default  configuration.  If  you 
are  an  end  user  trying  to  reset  a  password  when  password  recovery  has  been  disabled,  a  status  message 
shows  this  during  the  recovery  process. 

These  sections  describe  how  to  recover  a  forgotten  or  lost  switch  password: 

•  Procedure  with  Password  Recovery  Enabled,  page  29-4 

•  Procedure  with  Password  Recovery  Disabled,  page  29-6 

You  enable  or  disable  password  recovery  by  using  the  service  password-recovery  global  configuration 
command.  Follow  the  steps  in  this  procedure  if  you  have  forgotten  or  lost  the  switch  password. 

Step  1      Connect  a  terminal  or  PC  with  terminal-emulation  software  to  the  switch  console  port. 
Step  2      Set  the  line  speed  on  the  emulation  software  to  9600  baud. 
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Step  3      Use  a  pointed  device,  such  as  a  ballpoint  pen,  to  press  the  Pwr/Rst  button  on  the  front  panel  of  the 
switch. 

Step  4      within  15  seconds,  press  the  Mode  button  while  the  System  LED  is  still  flashing  green.  Continue 

pressing  the  Mode  button  until  the  System  LED  turns  briefly  amber  and  then  solid  green;  then  release 
the  Mode  button. 

Several  lines  of  information  about  the  software  appear  with  instructions,  informing  you  if  the  password 
recovery  procedure  has  been  disabled  or  not. 

•  If  you  see  a  message  that  begins  with  this: 

The  system  has  been  interrupted  prior  to  initializing  the  flash  file  system.  The 
following  commands  will  initialize  the  flash  file  system 

go  to  the  "Procedure  with  Password  Recovery  Enabled"  section  on  page  29-4,  and  follow  the  steps. 

•  If  you  see  a  message  that  begins  with  this: 

The  password-recovery  mechanism  has  been  triggered,   but  is  currently  disabled. 

go  to  the  "Procedure  with  Password  Recovery  Disabled"  section  on  page  29-6,  and  follow  the  steps. 


Procedure  with  Password  Recovery  Enabled 

If  the  password-recovery  mechanism  is  enabled,  this  message  appears: 

The  system  has  been  interrupted  prior  to  initializing  the  flash  file  system.  The  following 
commands  will  initialize  the  flash  file  system,   and  finish  loading  the  operating  system 
software : 

f lash_init 

load_helper 

boot 

Follow  these  steps  to  enable  password  recovery: 


Step  1      Initialize  the  flash  file  system: 

switch:  flashinit 

Step  2      If  you  had  set  the  console  port  speed  to  anything  other  than  9600,  it  has  been  reset  to  that  particular 
speed.  Change  the  emulation  software  line  speed  to  match  that  of  the  switch  console  port. 

Step  3      Load  any  helper  files: 

switch:  load_helper 

Step  4      Display  the  contents  of  flash  memory: 

switch:  dir  flash: 

The  switch  file  system  appears: 

Directory  of  flash: 

13     drwx  192  Mar  01   1993  22:30:48 

11     -rwx  5825  Mar  01   1993   22:31:59  config.text 

18     -rwx  720  Mar  01   1993   02:21:30  vlan.dat 

16128000  bytes  total    (10003456  bytes  free) 
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Step  5      Rename  the  configuration  file  to  config. text. old. 
This  file  contains  the  password  definition. 

switch:   rename  flash: config. text  flash: config. text . old 

Step  6      Boot  up  the  system: 

switch:  boot 

You  are  prompted  to  start  the  setup  program.  Enter  N  at  the  prompt: 

Continue  with  the  configuration  dialog?    [yes/no] :  N 

Step  7      At  the  switch  prompt,  enter  privileged  EXEC  mode: 

Switch>  enable 

Step  8      Rename  the  configuration  file  to  its  original  name: 

Switch*  rename  flash: config.  text . old  flash: con  fig . text 

%   

Note      Before  continuing  to  Step  9,  power  on  any  connected  stack  members  and  wait  until  they  have 
completely  initialized.  Failure  to  follow  this  step  can  result  in  a  lost  configuration  depending  on 
how  your  switch  is  set  up. 

Step  9      Copy  the  configuration  file  into  memory: 

Switch*  copy  flash: config. text  system: running-config 
Source  filename   [ config . text ] ? 
Destination  filename   [running-config] ? 

Press  Return  in  response  to  the  confirmation  prompts. 
The  configuration  file  is  now  reloaded,  and  you  can  change  the  password. 
Step  10    Enter  global  configuration  mode: 

Switch*  configure  terminal 

Step  11     Change  the  password: 

Switch   (config) #  enable  secret  password 

The  secret  password  can  be  from  1  to  25  alphanumeric  characters,  can  start  with  a  number,  is  case 
sensitive,  and  allows  spaces  but  ignores  leading  spaces. 

Step  12     Return  to  privileged  EXEC  mode: 

Switch   (config) #  exit 
Switch* 
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Step  13    Write  the  running  configuration  to  the  startup  configuration  file: 

Switch*  copy  running-conf ig  startup-conf ig 

The  new  password  is  now  in  the  startup  configuration. 

X   

Note      This  procedure  is  likely  to  leave  your  switch  virtual  interface  in  a  shutdown  state.  You  can  see 
which  interface  is  in  this  state  by  entering  the  show  running-config  privileged  EXEC  command. 
To  re-enable  the  interface,  enter  the  interface  vlan  vlan-id  global  configuration  command,  and 
specify  the  VLAN  ID  of  the  shutdown  interface.  With  the  switch  in  interface  configuration 
mode,  enter  the  no  shutdown  command. 


Step  14     Reload  the  switch: 

Switch*  reload 


Procedure  with  Password  Recovery  Disabled 


A 


If  the  password-recovery  mechanism  is  disabled,  this  message  appears: 

The  password-recovery  mechanism  has  been  triggered,  but 
is  currently  disabled.     Access  to  the  boot  loader  prompt 
through  the  password-recovery  mechanism  is  disallowed  at 
this  point.     However,    if  you  agree  to  let  the  system  be 
reset  back  to  the  default  system  configuration,  access 
to  the  boot  loader  prompt  can  still  be  allowed. 

Would  you  like  to  reset  the  system  back  to  the  default  configuration   (y/n) ? 


Caution      Returning  the  switch  to  the  default  configuration  results  in  the  loss  of  all  existing  configurations.  We 
recommend  that  you  contact  your  system  administrator  to  verify  if  there  are  backup  switch  and  VLAN 
configuration  files. 

•  If  you  enter  n  (no),  the  normal  bootup  process  continues  as  if  the  Mode  button  had  not  been  pressed; 
you  cannot  access  the  bootloader  prompt,  and  you  cannot  enter  a  new  password.  You  see  the 
message: 

Press  Enter  to  continue  

•  If  you  enter  y  (yes),  the  configuration  file  in  flash  memory  and  the  VLAN  database  file  are  deleted. 
When  the  default  configuration  loads,  you  can  reset  the  password. 

Step  1      Elect  to  continue  with  password  recovery  and  lose  the  existing  configuration: 

Would  you  like  to  reset  the  system  back  to  the  default  configuration   (y/n) ?  Y 

Step  2      Load  any  helper  files: 

Switch:  load_helper 

Step  3      Display  the  contents  of  flash  memory: 

switch:  dir  flash: 
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The  switch  file  system  appears: 

Directory  of  flash: 

13     drwx  192       Mar  01   1993  22:30:48 

16128000  bytes  total    (10003456  bytes  free) 

Step  4      Boot  up  the  system: 

Switch:  boot 

You  are  prompted  to  start  the  setup  program.  To  continue  with  password  recovery,  enter  N  at  the  prompt: 

Continue  with  the  configuration  dialog?    [yes/no] :  N 

Step  5      At  the  switch  prompt,  enter  privileged  EXEC  mode: 

Switch>  enable 

Step  6      Enter  global  configuration  mode: 

Switch#  configure  terminal 

Step  7      Change  the  password: 

Switch   (config)#  enable  secret  password 

The  secret  password  can  be  from  1  to  25  alphanumeric  characters,  can  start  with  a  number,  is  case 
sensitive,  and  allows  spaces  but  ignores  leading  spaces. 

Step  8      Return  to  privileged  EXEC  mode: 

Switch   (config)#  exit 
Switch* 

Step  9      Write  the  running  configuration  to  the  startup  configuration  file: 

Switch*  copy  running-conf ig  startup-conf ig 

The  new  password  is  now  in  the  startup  configuration. 


Note      This  procedure  is  likely  to  leave  your  switch  virtual  interface  in  a  shutdown  state.  You  can  see 
which  interface  is  in  this  state  by  entering  the  show  running-config  privileged  EXEC  command. 
To  re-enable  the  interface,  enter  the  interface  vlan  vlan-id  global  configuration  command,  and 
specify  the  VLAN  ID  of  the  shutdown  interface.  With  the  switch  in  interface  configuration 
mode,  enter  the  no  shutdown  command. 

Step  10     You  must  now  reconfigure  the  switch.  If  the  system  administrator  has  the  backup  switch  and  VLAN 
configuration  files  available,  you  should  use  those. 

Step  11     Reload  the  switch: 

Switch*  reload 
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Recovering  from  a  Command  Switch  Failure 

This  section  describes  how  to  recover  from  a  failed  command  switch.  You  can  configure  a  redundant 
command  switch  group  by  using  the  Hot  Standby  Router  Protocol  (HSRP).  For  more  information,  see 
Chapter  6,  "Clustering  Switches. "For  more  information,  see  Chapter  6,  "Clustering  Switches".  Also  see 
the  Getting  Started  with  Cisco  Network  Assistant,  available  on  Cisco.com. 

X   

Note      HSRP  is  the  preferred  method  for  supplying  redundancy  to  a  cluster. 


If  you  have  not  configured  a  standby  command  switch,  and  your  command  switch  loses  power  or  fails 
in  some  other  way,  management  contact  with  the  member  switches  is  lost,  and  you  must  install  a  new 
command  switch.  However,  connectivity  between  switches  that  are  still  connected  is  not  affected,  and 
the  member  switches  forward  packets  as  usual.  You  can  manage  the  members  as  standalone  switches 
through  the  console  port,  or,  if  they  have  IP  addresses,  through  the  other  management  interfaces. 

You  can  prepare  for  a  command  switch  failure  by  assigning  an  IP  address  to  a  member  switch  or  another 
switch  that  is  command-capable,  making  a  note  of  the  command-switch  password,  and  cabling  your 
cluster  to  provide  redundant  connectivity  between  the  member  switches  and  the  replacement  command 
switch.  These  sections  describe  two  solutions  for  replacing  a  failed  command  switch: 

•  Replacing  a  Failed  Command  Switch  with  a  Cluster  Member,  page  29-8 

•  Replacing  a  Failed  Command  Switch  with  Another  Switch,  page  29-10 
These  recovery  procedures  require  that  you  have  physical  access  to  the  switch. 
For  information  on  command-capable  switches,  see  the  release  notes. 

Replacing  a  Failed  Command  Switch  with  a  Cluster  Member 

To  replace  a  failed  command  switch  with  a  command-capable  member  in  the  same  cluster,  follow  these 
steps: 

Step  1      Disconnect  the  command  switch  from  the  member  switches,  and  physically  remove  it  from  the  cluster. 

Step  2      Insert  the  member  switch  in  place  of  the  failed  command  switch,  and  duplicate  its  connections  to  the 
cluster  members. 

Step  3      Start  a  CLI  session  on  the  new  command  switch. 

You  can  access  the  CLI  by  using  the  console  port  or,  if  an  IP  address  has  been  assigned  to  the  switch, 
by  using  Telnet.  For  details  about  using  the  console  port,  see  the  switch  hardware  installation  guide. 

Step  4      At  the  switch  prompt,  enter  privileged  EXEC  mode: 

Switch>  enable 
Switch* 

Step  5      Enter  the  password  of  the  failed  command  switch. 
Step  6      Enter  global  configuration  mode. 

Switch*  configure  terminal 

Enter  configuration  commands,   one  per  line.     End  with  CNTL/Z. 

Step  7      Remove  the  member  switch  from  the  cluster. 

Switch (config) #  no  cluster  commander-address 
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Step  8      Return  to  privileged  EXEC  mode. 

Switch (config) #  end 
Switch* 

Step  9      Use  the  setup  program  to  configure  the  switch  IP  information.  This  program  prompts  you  for  IP  address 
information  and  passwords.  From  privileged  EXEC  mode,  enter  setup,  and  press  Return. 

Switch*  setup 

  System  Configuration  Dialog   

Continue  with  configuration  dialog?    [yes/no] :  y 

At  any  point  you  may  enter  a  question  mark   '?'    for  help. 
Use  ctrl-c  to  abort  configuration  dialog  at  any  prompt. 
Default  settings  are  in  square  brackets    ' [] ' . 

Basic  management  setup  configures  only  enough  connectivity 
for  management  of  the  system,   extended  setup  will  ask  you 
to  configure  each  interface  on  the  system 

Would  you  like  to  enter  basic  management  setup?    [yes/no] : 

Step  10    Enter  Y  at  the  first  prompt. 

The  prompts  in  the  setup  program  vary  depending  on  the  member  switch  that  you  selected  to  be  the 
command  switch: 

Continue  with  configuration  dialog?    [yes/no] :  y 

or 

Configuring  global  parameters: 

If  this  prompt  does  not  appear,  enter  enable,  and  press  Return.  Enter  setup,  and  press  Return  to  start 
the  setup  program. 

Step  11     Respond  to  the  questions  in  the  setup  program. 

When  prompted  for  the  hostname,  recall  that  on  a  command  switch,  the  hostname  is  limited  to 

28  characters;  on  a  member  switch  to  31  characters.  Do  not  use  -n,  where  n  is  a  number,  as  the  last 

characters  in  a  hostname  for  any  switch. 

When  prompted  for  the  Telnet  (virtual  terminal)  password,  recall  that  it  can  be  from  1  to  25 
alphanumeric  characters,  is  case  sensitive,  allows  spaces,  but  ignores  leading  spaces. 

Step  12     When  prompted  for  the  enable  secret  and  enable  passwords,  enter  the  passwords  of  the  failed  command 
switch  again. 

Step  13    When  prompted,  make  sure  to  enable  the  switch  as  the  cluster  command  switch,  and  press  Return. 
Step  14     When  prompted,  assign  a  name  to  the  cluster,  and  press  Return. 

The  cluster  name  can  be  1  to  31  alphanumeric  characters,  dashes,  or  underscores. 
Step  15    After  the  initial  configuration  displays,  verify  that  the  addresses  are  correct. 
Step  16     If  the  displayed  information  is  correct,  enter  Y,  and  press  Return. 

If  this  information  is  not  correct,  enter  N,  press  Return,  and  begin  again  at  Step  9. 
Step  17     Start  your  browser,  and  enter  the  IP  address  of  the  new  command  switch. 

Step  18    From  the  Cluster  menu,  select  Add  to  Cluster  to  display  a  list  of  candidate  switches  to  add  to  the  cluster. 
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Replacing  a  Failed  Command  Switch  with  Another  Switch 

To  replace  a  failed  command  switch  with  a  switch  that  is  command-capable  but  not  part  of  the  cluster, 
follow  these  steps: 


Step  1      Insert  the  new  switch  in  place  of  the  failed  command  switch,  and  duplicate  its  connections  to  the  cluster 
members. 

Step  2      Start  a  CLI  session  on  the  new  command  switch. 

You  can  access  the  CLI  by  using  the  console  port  or,  if  an  IP  address  has  been  assigned  to  the  switch, 
by  using  Telnet.  For  details  about  using  the  console  port,  see  the  switch  hardware  installation  guide. 

Step  3      At  the  switch  prompt,  enter  privileged  EXEC  mode: 

Switch>  enable 
Switch* 

Step  4      Enter  the  password  of  the  failed  command  switch. 

Step  5      Use  the  setup  program  to  configure  the  switch  IP  information. 

This  program  prompts  you  for  IP  address  information  and  passwords.  From  privileged  EXEC  mode, 
enter  setup,  and  press  Return. 

Switch*  setup 

  System  Configuration  Dialog   

Continue  with  configuration  dialog?    [yes /no] :  y 

At  any  point  you  may  enter  a  question  mark   '?'    for  help. 
Use  ctrl-c  to  abort  configuration  dialog  at  any  prompt. 
Default  settings  are  in  square  brackets    ' [] ' . 

Basic  management  setup  configures  only  enough  connectivity 
for  management  of  the  system,   extended  setup  will  ask  you 
to  configure  each  interface  on  the  system 

Would  you  like  to  enter  basic  management  setup?    [yes/no] : 

Step  6      Enter  Y  at  the  first  prompt. 

The  prompts  in  the  setup  program  vary  depending  on  the  switch  you  selected  to  be  the  command  switch: 

Continue  with  configuration  dialog?    [yes/no] :  y 

or 

Configuring  global  parameters: 

If  this  prompt  does  not  appear,  enter  enable,  and  press  Return.  Enter  setup,  and  press  Return  to  start 
the  setup  program. 

Step  7      Respond  to  the  questions  in  the  setup  program. 

When  prompted  for  the  hostname,  recall  that  on  a  command  switch,  the  hostname  is  limited  to  28 
characters.  Do  not  use  -n,  where  n  is  a  number,  as  the  last  character  in  a  hostname  for  any  switch. 

When  prompted  for  the  Telnet  (virtual  terminal)  password,  recall  that  it  can  be  from  1  to  25 
alphanumeric  characters,  is  case  sensitive,  allows  spaces,  but  ignores  leading  spaces. 

Step  8      When  prompted  for  the  enable  secret  and  enable  passwords,  enter  the  passwords  of  the  failed  command 
switch  again. 

Step  9      When  prompted,  make  sure  to  enable  the  switch  as  the  cluster  command  switch,  and  press  Return. 
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Step  10     When  prompted,  assign  a  name  to  the  cluster,  and  press  Return. 

The  cluster  name  can  be  1  to  31  alphanumeric  characters,  dashes,  or  underscores. 
Step  11     When  the  initial  configuration  displays,  verify  that  the  addresses  are  correct. 
Step  12    If  the  displayed  information  is  correct,  enter  Y,  and  press  Return. 

If  this  information  is  not  correct,  enter  N,  press  Return,  and  begin  again  at  Step  9. 
Step  13     Start  your  browser,  and  enter  the  IP  address  of  the  new  command  switch. 

Step  14    From  the  Cluster  menu,  select  Add  to  Cluster  to  display  a  list  of  candidate  switches  to  add  to  the  cluster. 


Recovering  from  Lost  Cluster  Member  Connectivity 

Some  configurations  can  prevent  the  command  switch  from  maintaining  contact  with  member  switches. 
If  you  are  unable  to  maintain  management  contact  with  a  member,  and  the  member  switch  is  forwarding 
packets  normally,  check  for  these  conflicts: 

•  A  member  switch  (Catalyst  3750,  Catalyst  3560,  Catalyst  3550,  Catalyst  3500  XL,  Catalyst  2970, 
Catalyst  2960,  CGESM,  Catalyst  2950,  Catalyst  2900  XL,  Catalyst  2820,  and  Catalyst  1900  switch) 
cannot  connect  to  the  command  switch  through  a  port  that  is  defined  as  a  network  port. 

•  Catalyst  3500  XL,  Catalyst  2900  XL,  Catalyst  2820,  and  Catalyst  1900  member  switches  must 
connect  to  the  command  switch  through  a  port  that  belongs  to  the  same  management  VLAN. 

•  A  member  switch  (Catalyst  3750,  Catalyst  3560,  Catalyst  3550,  Catalyst  2970,  Catalyst  2960, 
CGESM,  Catalyst  2950,  Catalyst  3500  XL,  Catalyst  2900  XL,  Catalyst  2820,  and  Catalyst  1900 
switch)  connected  to  the  command  switch  through  a  secured  port  can  lose  connectivity  if  the  port  is 
disabled  because  of  a  security  violation. 


Preventing  Autonegotiation  Mismatches 

The  IEEE  802. 3ab  autonegotiation  protocol  manages  the  switch  settings  for  speed  (10  Mb/s,  100  Mb/s, 
and  1000  Mb/s,  excluding  SFP  module  ports)  and  duplex  (half  or  full).  There  are  situations  when  this 
protocol  can  incorrectly  align  these  settings,  reducing  performance.  A  mismatch  occurs  under  these 
circumstances: 

•  A  manually  set  speed  or  duplex  parameter  is  different  from  the  manually  set  speed  or  duplex 
parameter  on  the  connected  port. 

•  A  port  is  set  to  autonegotiate,  and  the  connected  port  is  set  to  full  duplex  with  no  autonegotiation. 
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To  maximize  switch  performance  and  ensure  a  link,  follow  one  of  these  guidelines  when  changing  the 
settings  for  duplex  and  speed: 

•  Let  both  ports  autonegotiate  both  speed  and  duplex. 

•  Manually  set  the  speed  and  duplex  parameters  for  the  ports  on  both  ends  of  the  connection. 

X   

Note      If  a  remote  device  does  not  autonegotiate,  configure  the  duplex  settings  on  the  two  ports  to  match.  The 
speed  parameter  can  adjust  itself  even  if  the  connected  port  does  not  autonegotiate. 


SFP  Module  Security  and  Identification 

Cisco  small  form-factor  pluggable  (SFP)  modules  have  a  serial  EEPROM  that  contains  the  module  serial 
number,  the  vendor  name  and  ID,  a  unique  security  code,  and  cyclic  redundancy  check  (CRC).  When  an 
SFP  module  is  inserted  in  the  switch,  the  switch  software  reads  the  EEPROM  to  verify  the  serial  number, 
vendor  name  and  vendor  ID,  and  recompute  the  security  code  and  CRC.  If  the  serial  number,  the  vendor 
name  or  vendor  ID,  the  security  code,  or  CRC  is  invalid,  the  software  generates  a  security  error  message 
and  places  the  interface  in  an  error-disabled  state. 

X   

Note      The  security  error  message  references  the  GBIC_SECURITY  facility.  The  switch  supports  SFP  modules 
and  does  not  support  GBIC  modules.  Although  the  error  message  text  refers  to  GBIC  interfaces  and 
modules,  the  security  messages  actually  refer  to  the  SFP  modules  and  module  interfaces.  For  more 
information  about  error  messages,  see  the  system  message  guide  for  this  release. 


If  you  are  using  a  non-Cisco  SFP  module,  remove  the  SFP  module  from  the  switch,  and  replace  it  with 
a  Cisco  module.  After  inserting  a  Cisco  SFP  module,  use  the  errdisable  recovery  cause  gbic-invalid 
global  configuration  command  to  verify  the  port  status,  and  enter  a  time  interval  for  recovering  from  the 
error-disabled  state.  After  the  elapsed  interval,  the  switch  brings  the  interface  out  of  the  error-disabled 
state  and  retries  the  operation.  For  more  information  about  the  errdisable  recovery  command,  see  the 
command  reference  for  this  release. 

If  the  module  is  identified  as  a  Cisco  SFP  module,  but  the  system  is  unable  to  read  vendor-data 
information  to  verify  its  accuracy,  an  SFP  module  error  message  is  generated.  In  this  case,  you  should 
remove  and  re-insert  the  SFP  module.  If  it  continues  to  fail,  the  SFP  module  might  be  defective. 

Monitoring  SFP  Module  Status 

You  can  check  the  physical  or  operational  status  of  an  SFP  module  by  using  the  show  interfaces 
transceiver  privileged  EXEC  command.  This  command  shows  the  operational  status,  such  as  the 
temperature  and  the  current  for  an  SFP  module  on  a  specific  interface  and  the  alarm  status.  You  can  also 
use  the  command  to  check  the  speed  and  the  duplex  settings  on  an  SFP  module.  For  more  information, 
see  the  show  interfaces  transceiver  command  in  the  command  reference  for  this  release. 
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Using  Ping 

These  sections  contain  this  information: 

•  Understanding  Ping,  page  29-13 

•  Executing  Ping,  page  29-13 


Understanding  Ping 

The  switch  supports  IP  ping,  which  you  can  use  to  test  connectivity  to  remote  hosts.  Ping  sends  an  echo 
request  packet  to  an  address  and  waits  for  a  reply.  Ping  returns  one  of  these  responses: 

•  Normal  response — The  normal  response  (hostname  is  alive)  occurs  in  1  to  10  seconds,  depending 
on  network  traffic. 

•  Destination  does  not  respond — If  the  host  does  not  respond,  a  no-answer  message  is  returned. 

•  Unknown  host — If  the  host  does  not  exist,  an  unknown  host  message  is  returned. 

•  Destination  unreachable — If  the  default  gateway  cannot  reach  the  specified  network,  a 
destination-unreachable  message  is  returned. 

•  Network  or  host  unreachable — If  there  is  no  entry  in  the  route  table  for  the  host  or  network,  a 
network  or  host  unreachable  message  is  returned. 


Executing  Ping 

Beginning  in  privileged  EXEC  mode,  use  this  command  to  ping  another  device  on  the  network  from  the 
switch: 


Command 

Purpose 

ping  ip  host  1  address 

Ping  a  remote  host  through  IP  or  by  supplying  the  hostname  or 
network  address. 

Note      Though  other  protocol  keywords  are  available  with  the  ping  command,  they  are  not  supported  in  this 
release. 

This  example  shows  how  to  ping  an  IP  host: 

Switch*  ping  172.20.52.3 

Type  escape  sequence  to  abort . 

Sending  5,    100-byte  ICMP  Echoes  to  172.20.52.3,   timeout  is  2  seconds: 

[III! 

Success  rate  is  100  percent   (5/5) ,   round-trip  min/avg/max  =  1/2/4  ms 
Switch* 
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Table  29-1  describes  the  possible  ping  character  output. 
Table  29- 1         Ping  Output  Display  Characters 


Character 

Description 

i 

Each  exclamation  point  means  receipt  of  a  reply. 

Each  period  means  the  network  server  timed  out  while  waiting  for  a  reply. 

U 

A  destination  unreachable  error  PDU  was  received. 

C 

A  congestion  experienced  packet  was  received. 

I 

User  interrupted  test. 

? 

Unknown  packet  type. 

& 

Packet  lifetime  exceeded. 

To  end  a  ping  session,  enter  the  escape  sequence  (Ctrl-A  X  by  default).  Simultaneously  press  and  release 
the  Ctrl,  Shift,  and  6  keys  and  then  press  the  X  key. 

Using  Layer  2  Traceroute 

These  sections  contain  this  information: 

•  Understanding  Layer  2  Traceroute,  page  29-14 

•  Usage  Guidelines,  page  29-15 

•  Displaying  the  Physical  Path,  page  29-16 

Understanding  Layer  2  Traceroute 

The  Layer  2  traceroute  feature  allows  the  switch  to  identify  the  physical  path  that  a  packet  takes  from  a 
source  device  to  a  destination  device.  Layer  2  traceroute  supports  only  unicast  source  and  destination 
MAC  addresses.  It  finds  the  path  by  using  the  MAC  address  tables  of  the  switches  in  the  path.  When  the 
switch  detects  a  device  in  the  path  that  does  not  support  Layer  2  traceroute,  the  switch  continues  to  send 
Layer  2  trace  queries  and  lets  them  time  out. 

The  switch  can  only  identify  the  path  from  the  source  device  to  the  destination  device.  It  cannot  identify 
the  path  that  a  packet  takes  from  source  host  to  the  source  device  or  from  the  destination  device  to  the 
destination  host. 
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Usage  Guidelines 

These  are  the  Layer  2  traceroute  usage  guidelines: 

•  Cisco  Discovery  Protocol  (CDP)  must  be  enabled  on  all  the  devices  in  the  network.  For  Layer  2 
traceroute  to  function  properly,  do  not  disable  CDP. 

For  a  list  of  switches  that  support  Layer  2  traceroute,  see  the  "Usage  Guidelines"  section  on 
page  29-15.  If  any  devices  in  the  physical  path  are  transparent  to  CDP,  the  switch  cannot  identify 
the  path  through  these  devices.  For  more  information  about  enabling  CDP,  see  Chapter  19, 
"Configuring  CDP." 

•  A  switch  is  reachable  from  another  switch  when  you  can  test  connectivity  by  using  the  ping 
privileged  EXEC  command.  All  switches  in  the  physical  path  must  be  reachable  from  each  other. 

•  The  maximum  number  of  hops  identified  in  the  path  is  ten. 

•  You  can  enter  the  traceroute  mac  or  the  traceroute  mac  ip  privileged  EXEC  command  on  a  switch 
that  is  not  in  the  physical  path  from  the  source  device  to  the  destination  device.  All  switches  in  the 
path  must  be  reachable  from  this  switch. 

•  The  traceroute  mac  command  output  shows  the  Layer  2  path  only  when  the  specified  source  and 
destination  MAC  addresses  belong  to  the  same  VLAN.  If  you  specify  source  and  destination  MAC 
addresses  that  belong  to  different  VLANs,  the  Layer  2  path  is  not  identified,  and  an  error  message 
appears. 

•  If  you  specify  a  multicast  source  or  destination  MAC  address,  the  path  is  not  identified,  and  an  error 
message  appears. 

•  If  the  source  or  destination  MAC  address  belongs  to  multiple  VLANs,  you  must  specify  the  VLAN 
to  which  both  the  source  and  destination  MAC  addresses  belong.  If  the  VLAN  is  not  specified,  the 
path  is  not  identified,  and  an  error  message  appears. 

•  The  traceroute  mac  ip  command  output  shows  the  Layer  2  path  when  the  specified  source  and 
destination  IP  addresses  belong  to  the  same  subnet.  When  you  specify  the  IP  addresses,  the  switch 
uses  the  Address  Resolution  Protocol  (ARP)  to  associate  the  IP  addresses  with  the  corresponding 
MAC  addresses  and  the  VLAN  IDs. 

-  If  an  ARP  entry  exists  for  the  specified  IP  address,  the  switch  uses  the  associated  MAC  address 
and  identifies  the  physical  path. 

-  If  an  ARP  entry  does  not  exist,  the  switch  sends  an  ARP  query  and  tries  to  resolve  the  IP 
address.  If  the  IP  address  is  not  resolved,  the  path  is  not  identified,  and  an  error  message 
appears. 

•  When  multiple  devices  are  attached  to  one  port  through  hubs  (for  example,  multiple  CDP  neighbors 
are  detected  on  a  port),  the  Layer  2  traceroute  feature  is  not  supported.  When  more  than  one  CDP 
neighbor  is  detected  on  a  port,  the  Layer  2  path  is  not  identified,  and  an  error  message  appears. 

•  This  feature  is  not  supported  in  Token  Ring  VLANs. 
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Displaying  the  Physical  Path 

You  can  display  the  physical  path  that  a  packet  takes  from  a  source  device  to  a  destination  device  by 
using  one  of  these  privileged  EXEC  commands: 

•  tracetroute  mac  [interface  interface-id]  {source-mac-address}  [interface  interface-id] 
{destination-mac-address}  [vlan  vlan-id]  [detail] 

•  tracetroute  mac  ip  {source-ip-address  I  source-hostname}  {destination-ip-address  I 
destination-hostname}  [detail] 

For  more  information,  see  the  command  reference  for  this  release. 


Using  IPTraceroute 

These  sections  contain  this  information: 

•  Understanding  IP  Traceroute,  page  29-16 

•  Executing  IP  Traceroute,  page  29-17 

Understanding  IPTraceroute 

You  can  use  IP  traceroute  to  identify  the  path  that  packets  take  through  the  network  on  a  hop-by-hop 
basis.  The  command  output  displays  all  network  layer  (Layer  3)  devices,  such  as  routers,  that  the  traffic 
passes  through  on  the  way  to  the  destination. 

Your  switches  can  participate  as  the  source  or  destination  of  the  traceroute  privileged  EXEC  command 
and  might  or  might  not  appear  as  a  hop  in  the  traceroute  command  output.  If  the  switch  is  the  destination 
of  the  traceroute,  it  is  displayed  as  the  final  destination  in  the  traceroute  output.  Intermediate  switches 
do  not  show  up  in  the  traceroute  output  if  they  are  only  bridging  the  packet  from  one  port  to  another 
within  the  same  VLAN.  However,  if  the  intermediate  switch  is  a  multilayer  switch  that  is  routing  a 
particular  packet,  this  switch  shows  up  as  a  hop  in  the  traceroute  output. 

The  traceroute  privileged  EXEC  command  uses  the  Time  To  Live  (TTL)  field  in  the  IP  header  to  cause 
routers  and  servers  to  generate  specific  return  messages.  Traceroute  starts  by  sending  a  User  Datagram 
Protocol  (UDP)  datagram  to  the  destination  host  with  the  TTL  field  set  to  1.  If  a  router  finds  a  TTL  value 
of  1  or  0,  it  drops  the  datagram  and  sends  an  Internet  Control  Message  Protocol  (ICMP) 
time-to-live-exceeded  message  to  the  sender.  Traceroute  finds  the  address  of  the  first  hop  by  examining 
the  source  address  field  of  the  ICMP  time-to-live-exceeded  message. 

To  identify  the  next  hop,  traceroute  sends  a  UDP  packet  with  a  TTL  value  of  2.  The  first  router 
decrements  the  TTL  field  by  1  and  sends  the  datagram  to  the  next  router.  The  second  router  sees  a  TTL 
value  of  1,  discards  the  datagram,  and  returns  the  time-to-live-exceeded  message  to  the  source.  This 
process  continues  until  the  TTL  is  incremented  to  a  value  large  enough  for  the  datagram  to  reach  the 
destination  host  (or  until  the  maximum  TTL  is  reached). 

To  learn  when  a  datagram  reaches  its  destination,  traceroute  sets  the  UDP  destination  port  number  in  the 
datagram  to  a  very  large  value  that  the  destination  host  is  unlikely  to  be  using.  When  a  host  receives  a 
datagram  destined  to  itself  containing  a  destination  port  number  that  is  unused  locally,  it  sends  an  ICMP 
port-unreachable  error  to  the  source.  Because  all  errors  except  port-unreachable  errors  come  from 
intermediate  hops,  the  receipt  of  a  port-unreachable  error  means  that  this  message  was  sent  by  the 
destination  port. 
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Executing  IP  Traceroute 

Beginning  in  privileged  EXEC  mode,  follow  this  step  to  trace  the  path  that  packets  take  through  the 
network: 


Command 

Purpose 

traceroute  ip  host 

Trace  the  path  that  packets  take  through  the  network. 

%   

Note      Though  other  protocol  keywords  are  available  with  the  traceroute  privileged  EXEC  command,  they  are 
not  supported  in  this  release. 

This  example  shows  how  to  perform  a  traceroute  to  an  IP  host: 

Switch*  traceroute  ip  171.9.15.10 

Type  escape  sequence  to  abort. 
Tracing  the  route  to  171.69.115.10 

1  172.2.52.1  0  msec  0  msec  4  msec 

2  172.2.1.203   12  msec  8  msec  0  msec 

3  171.9.16.6  4  msec  0  msec  0  msec 

4  171.9.4.5   0  msec  4  msec  0  msec 

5  171.9.121.34   0  msec  4  msec  4  msec 

6  171.9.15.9   120  msec  132  msec  128  msec 

7  171.9.15.10  132  msec  128  msec  128  msec 
Switch* 

The  display  shows  the  hop  count,  the  IP  address  of  the  router,  and  the  round-trip  time  in  milliseconds 
for  each  of  the  three  probes  that  are  sent. 


Table  29-2 

Traceroute  Output  Display  Characters 

Character 

Description 

* 

The  probe  timed  out. 

? 

Unknown  packet  type. 

A 

Administratively  unreachable.  Usually,  this  output  means  that  an  access  list  is 
blocking  traffic. 

H 

Host  unreachable. 

N 

Network  unreachable. 

P 

Protocol  unreachable. 

Q 

Source  quench. 

u 

Port  unreachable. 

To  end  a  trace  in  progress,  enter  the  escape  sequence  (Ctrl-A  X  by  default).  Simultaneously  press  and 
release  the  Ctrl,  Shift,  and  6  keys  and  then  press  the  X  key. 
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Using  TDR 

These  sections  contain  this  information: 

•  Understanding  TDR,  page  29-18 

•  Running  TDR  and  Displaying  the  Results,  page  29-18 

Understanding  TDR 

You  can  use  the  Time  Domain  Reflector  (TDR)  feature  to  diagnose  and  resolve  cabling  problems.  When 
running  TDR,  a  local  device  sends  a  signal  through  a  cable  and  compares  the  reflected  signal  to  the  initial 
signal. 

TDR  is  supported  only  on  10/100  and  10/100/1000  copper  Ethernet  ports.  It  is  not  supported  on  SFP 
module  ports. 

TDR  can  detect  these  cabling  problems: 

•  Open,  broken,  or  cut  twisted-pair  wires — The  wires  are  not  connected  to  the  wires  from  the  remote 
device. 

•  Shorted  twisted-pair  wires — The  wires  are  touching  each  other  or  the  wires  from  the  remote  device. 
For  example,  a  shorted  twisted  pair  can  occur  if  one  wire  of  the  twisted  pair  is  soldered  to  the  other 
wire. 

If  one  of  the  twisted-pair  wires  is  open,  TDR  can  find  the  length  at  which  the  wire  is  open. 
Use  TDR  to  diagnose  and  resolve  cabling  problems  in  these  situations: 

•  Replacing  a  switch 

•  Setting  up  a  wiring  closet 

•  Troubleshooting  a  connection  between  two  devices  when  a  link  cannot  be  established  or  when  it  is 
not  operating  properly 

Running  TDR  and  Displaying  the  Results 

To  run  TDR,  enter  the  test  cable-diagnostics  tdr  interface  interface-id  privileged  EXEC  command: 

To  display  the  results,  enter  the  show  cable-diagnostics  tdr  interface  interface-id  privileged  EXEC 
command.  For  a  description  of  the  fields  in  the  display,  see  the  command  reference  for  this  release. 

Using  Debug  Commands 

These  sections  explains  how  you  use  debug  commands  to  diagnose  and  resolve  internetworking 
problems: 

•  Enabling  Debugging  on  a  Specific  Feature,  page  29-19 

•  Enabling  All-System  Diagnostics,  page  29-19 

•  Redirecting  Debug  and  Error  Message  Output,  page  29-20 
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A   

Caution      Because  debugging  output  is  assigned  high  priority  in  the  CPU  process,  it  can  render  the  system 
unusable.  For  this  reason,  use  debug  commands  only  to  troubleshoot  specific  problems  or  during 
troubleshooting  sessions  with  Cisco  technical  support  staff.  It  is  best  to  use  debug  commands  during 
periods  of  lower  network  traffic  and  fewer  users.  Debugging  during  these  periods  decreases  the 
likelihood  that  increased  debug  command  processing  overhead  will  affect  system  use. 


Note      For  complete  syntax  and  usage  information  for  specific  debug  commands,  see  the  command  reference 
for  this  release. 


Enabling  Debugging  on  a  Specific  Feature 

All  debug  commands  are  entered  in  privileged  EXEC  mode,  and  most  debug  commands  take  no 
arguments.  For  example,  beginning  in  privileged  EXEC  mode,  enter  this  command  to  enable  the 
debugging  for  Switched  Port  Analyzer  (SPAN): 

Switch*  debug  span-session 

The  switch  continues  to  generate  output  until  you  enter  the  no  form  of  the  command. 
If  you  enable  a  debug  command  and  no  output  appears,  consider  these  possibilities: 

•  The  switch  might  not  be  properly  configured  to  generate  the  type  of  traffic  you  want  to  monitor.  Use 
the  show  running-config  command  to  check  its  configuration. 

•  Even  if  the  switch  is  properly  configured,  it  might  not  generate  the  type  of  traffic  you  want  to 
monitor  during  the  particular  period  that  debugging  is  enabled.  Depending  on  the  feature  you  are 
debugging,  you  can  use  commands  such  as  the  TCP/IP  ping  command  to  generate  network  traffic. 

To  disable  debugging  of  SPAN,  enter  this  command  in  privileged  EXEC  mode: 

Switch*  no  debug  span-session 

Alternately,  in  privileged  EXEC  mode,  you  can  enter  the  undebug  form  of  the  command: 

Switch*  undebug  span-session 

To  display  the  state  of  each  debugging  option,  enter  this  command  in  privileged  EXEC  mode: 

Switch*  show  debugging 

Enabling  All-System  Diagnostics 

Beginning  in  privileged  EXEC  mode,  enter  this  command  to  enable  all-system  diagnostics: 

Switch*  debug  all 

A   

Caution      Because  debugging  output  takes  priority  over  other  network  traffic,  and  because  the  debug  all  privileged 
EXEC  command  generates  more  output  than  any  other  debug  command,  it  can  severely  diminish  switch 
performance  or  even  render  it  unusable.  In  virtually  all  cases,  it  is  best  to  use  more  specific  debug 
commands. 
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The  no  debug  all  privileged  EXEC  command  disables  all  diagnostic  output.  Using  the  no  debug  all 
command  is  a  convenient  way  to  ensure  that  you  have  not  accidentally  left  any  debug  commands 
enabled. 


Redirecting  Debug  and  Error  Message  Output 

By  default,  the  network  server  sends  the  output  from  debug  commands  and  system  error  messages  to  the 
console.  If  you  use  this  default,  you  can  use  a  virtual  terminal  connection  to  monitor  debug  output 
instead  of  connecting  to  the  console  port. 

Possible  destinations  include  the  console,  virtual  terminals,  internal  buffer,  and  UNIX  hosts  running  a 
syslog  server.  The  syslog  format  is  compatible  with  4.3  Berkeley  Standard  Distribution  (BSD)  UNIX 
and  its  derivatives. 


Note      Be  aware  that  the  debugging  destination  you  use  affects  system  overhead.  Logging  messages  to  the 
console  produces  very  high  overhead,  whereas  logging  messages  to  a  virtual  terminal  produces  less 
overhead.  Logging  messages  to  a  syslog  server  produces  even  less,  and  logging  to  an  internal  buffer 
produces  the  least  overhead  of  any  method. 


For  more  information  about  system  message  logging,  see  Chapter  24,  "Configuring  System  Message 
Logging." 


Using  the  show  platform  forward  Command 

The  output  from  the  show  platform  forward  privileged  EXEC  command  provides  some  useful 
information  about  the  forwarding  results  if  a  packet  entering  an  interface  is  sent  through  the  system. 
Depending  upon  the  parameters  entered  about  the  packet,  the  output  provides  lookup  table  results  and 
port  maps  used  to  calculate  forwarding  destinations,  bitmaps,  and  egress  information. 


Note      For  more  syntax  and  usage  information  for  the  show  platform  forward  command,  see  the  switch 
command  reference  for  this  release. 


Most  of  the  information  in  the  output  from  the  command  is  useful  mainly  for  technical  support 
personnel,  who  have  access  to  detailed  information  about  the  switch  application-specific  integrated 
circuits  (ASICs).  However,  packet  forwarding  information  can  also  be  helpful  in  troubleshooting. 

This  is  an  example  of  the  output  from  the  show  platform  forward  command  on  port  1  in  VLAN  5  when 
the  packet  entering  that  port  is  addressed  to  unknown  MAC  addresses.  The  packet  should  be  flooded  to 
all  other  ports  in  VLAN  5. 

Switch*  show  platform  forward  gigabitethernetO/1  vlan  5  1.1.1  2.2.2  ip  13.1.1.1  13.2.2.2 
udp  10  20 

Global  Port  Number: 24,  Asic  Number: 5 
Src  Real  Vlan  Id: 5,   Mapped  Vlan  Id: 5 


Ingress : 

Lookup  Key-Used  Index-Hit  A-Data 

InptACL     40_OD020202_OD010101-00_40000014_OOOAOOOO  01FFA  03000000 

L2Local     80_00050002_00020002-00_00000000_00000000  00C71  0000002B 

Station  Descriptor : 02340000 ,   Destlndex: 0239 ,   Rewritelndex : F005 
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Egress :Asic  2,  switch  1 
Output  Packets: 


Packet  1 

Lookup  Key-Used  Index-Hit  A-Data 

OutptACL  50_0D020202_0D010101-00_40000014_000A0000  01FFE  03000000 

Port  Vlan  SrcMac  DstMac         Cos  Dscpv 

Gi0/1         0005   0001.0001.0001  0002.0002.0002 


Packet  2 

Lookup  Key-Used  Index-Hit  A-Data 

OutptACL  50_0D020202_0D010101-00_40000014_000A0000  01FFE  03000000 

Port  Vlan  SrcMac  DstMac         Cos  Dscpv 

GiO/2         0005   0001.0001.0001  0002.0002.0002 


<output  truncated> 


Packet  10 

Lookup  Key-Used  Index-Hit  A-Data 

OutptACL  50_0D020202_0D010101-00_40000014_000A0000  01FFE  03000000 

Packet  dropped  due  to  failed  DEJA_VU  Check  on  Gi0/2 

This  is  an  example  of  the  output  when  the  packet  coming  in  on  port  1  in  VLAN  5  is  sent  to  an  address 
already  learned  on  the  VLAN  on  another  port.  It  should  be  forwarded  from  the  port  on  which  the  address 
was  learned. 

Switch*  show  platform  forward  gigabitethernetO/l  vlan  5  1.1.1  0009 . 43a8 . 0145  ip  13.1.1.1 
13.2.2.2  udp  10  20 

Global  Port  Number: 24,  Asic  Number: 5 
Src  Real  Vlan  Id: 5,   Mapped  Vlan  Id: 5 

Ingress : 

Lookup  Key-Used  Index-Hit  A-Data 

InptACL     40_0D020202_0D010101-00_40000014_000A0000  01FFA  03000000 

L2Local     80_00050009_43A80145-00_00000000_00000000  00086  02010197 

Station  Descriptor : F0050003 ,   Destlndex : F005 ,   Rewritelndex: 0003 


Egress: Asic  3,  switch  1 
Output  Packets: 


Packet  1 

Lookup  Key-Used  Index-Hit  A-Data 

OutptACL  50_0D020202_0D010101-00_40000014_000A0000  01FFE  03000000 

Port  Vlan  SrcMac  DstMac         Cos  Dscpv 

GiO/2         0005   0001.0001.0001     0009 . 43A8 . 0145 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  j 


29-21 


S3 Using  the  crashinfo  Files 


Chapter  29    Troubleshooting  | 


Using  the 


crashinfo  Files 


The  crashinfo  files  save  information  that  helps  Cisco  technical  support  representatives  to  debug 
problems  that  caused  the  Cisco  IOS  image  to  fail  (crash).  The  switch  writes  the  crash  information  to  the 
console  at  the  time  of  the  failure.  The  switch  creates  two  types  of  crashinfo  files: 

•  Basic  crashinfo  file — The  switch  automatically  creates  this  file  the  next  time  you  boot  up  the  Cisco 
IOS  image  after  the  failure. 

•  Extended  crashinfo  file — The  switch  automatically  creates  this  file  when  the  system  is  failing. 


The  information  in  the  basic  file  includes  the  Cisco  IOS  image  name  and  version  that  failed,  a  list  of  the 
processor  registers,  and  a  stack  trace.  You  can  provide  this  information  to  the  Cisco  technical  support 
representative  by  using  the  show  tech-support  privileged  EXEC  command. 

Basic  crashinfo  files  are  kept  in  this  directory  on  the  flash  file  system: 

flash:/crashinfo/. 

The  filenames  are  crashinfo_«  where  n  is  a  sequence  number. 

Each  new  crashinfo  file  that  is  created  uses  a  sequence  number  that  is  larger  than  any  previously  existing 
sequence  number,  so  the  file  with  the  largest  sequence  number  describes  the  most  recent  failure.  Version 
numbers  are  used  instead  of  a  timestamp  because  the  switches  do  not  include  a  real-time  clock.  You 
cannot  change  the  name  of  the  file  that  the  system  will  use  when  it  creates  the  file.  However,  after  the 
file  is  created,  you  can  use  the  rename  privileged  EXEC  command  to  rename  it,  but  the  contents  of  the 
renamed  file  will  not  be  displayed  by  the  show  tech-support  privileged  EXEC  command.  You  can 
delete  crashinfo  files  by  using  the  delete  privileged  EXEC  command. 

You  can  display  the  most  recent  basic  crashinfo  file  (that  is,  the  file  with  the  highest  sequence  number 
at  the  end  of  its  filename)  by  entering  the  show  tech-support  privileged  EXEC  command.  You  also  can 
access  the  file  by  using  any  command  that  can  copy  or  display  files,  such  as  the  more  or  the  copy 
privileged  EXEC  command. 


In  Cisco  IOS  Release  12.2(25)SEC  or  later,  the  switch  creates  the  extended  crashinfo  file  when  the 
system  is  failing.  The  information  in  the  extended  file  includes  additional  information  that  can  help 
determine  the  cause  of  the  switch  failure.  You  provide  this  information  to  the  Cisco  technical  support 
representative  by  manually  accessing  the  file  and  using  the  more  or  the  copy  privileged  EXEC 
command. 

Extended  crashinfo  files  are  kept  in  this  directory  on  the  flash  file  system: 
flash:/crashinfo_ext/. 

The  filenames  are  crashinfo_ext_w  where  n  is  a  sequence  number. 

You  can  configure  the  switch  to  not  create  the  extended  crashinfo  file  by  using  the  no  exception 
crashinfo  global  configuration  command. 


Basic  crashinfo 


Files 


Extended  crashinfo  Files 
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APPENDIX 


This  appendix  lists  the  supported  management  information  base  (MIBs)  for  this  release  on  the  switch.  It 
contains  these  sections: 

•  MIB  List,  page  A-1 

•  Using  FTP  to  Access  the  MIB  Files,  page  A-3 

MIB  List 

•  BRIDGE-MIB 

X   

Note     The  BRIDGE-MIB  supports  the  context  of  a  single  VLAN.  By  default,  SNMP  messages 

using  the  configured  community  string  always  provide  information  for  VLAN  1.  To  obtain 
the  BRIDGE-MIB  information  for  other  VLANs,  for  example  VLAN  x,  use  this  community 
string  in  the  SNMP  message:  configured  community  string  @x. 

•  CISCO-CABLE-DIAG-MIB 

•  CISCO-CDP-MIB 

•  CISCO-CLUSTER-MIB 

•  CISCO-CONFIG-COPY-MIB 

•  CISCO-CONFIG-MAN-MIB 

•  CISCO-ENTITY- VENDORTYPE-OID-MIB 

•  CISCO-ENVMON-MIB 

•  CISCO-ERR-DISABLE-MIB 

•  CISCO-FLASH-MIB  (Flash  memory  on  all  switches  is  modeled  as  removable  flash  memory.) 

•  CISCO-FTP-CLIENT-MIB 

•  CISCO-IGMP-FILTER-MIB 

•  CISCO-IMAGE-MIB 

•  CISCO  IP-STAT-MIB 

•  CISCO-LAG-MIB 

•  CISCO-MAC-NOTIFICATION-MIB 
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•  CISCO-MEMORY-POOL-MIB 

•  CISCO-PAE-MIB 

•  CISCO-PAGP-MIB 

•  CISCO-PING-MIB 

•  CISCO-PRODUCTS-MIB 

•  CISCO-PROCESS-MIB 

•  CISCO-RTTMON-MIB 

•  CISCO-SMI-MIB 

•  CISCO-STP-EXTENSIONS-MIB 

•  CISCO-SYSLOG-MIB 

•  CISCO-TC-MIB 

•  CISCO-TCP-MIB 

•  CISCO-UDLDP-MIB 

•  CISCO- VLAN-IFTABLE-RELATIONSHIP-MIB 

•  CISCO-VLAN-MEMBERSHIP-MIB 

•  CISCO-VTP-MIB 

•  ENTITY-MIB 

•  ETHERLIKE-MIB 

•  IEEE8021-PAE-MIB 

•  IEEE8023-LAG-MIB 

•  IF-MIB  (In  and  out  counters  for  VLANs  are  not  supported.) 

•  INET- ADDRES  S  -MIB 

•  OLD-CISCO-CHASSIS-MIB 

•  OLD-CISCO-FLASH-MIB 

•  OLD-CISCO-INTERFACES-MIB 

•  OLD-CISCO-IP-MIB 

•  OLD-CISCO-SYS-MIB 

•  OLD-CISCO-TCP-MIB 

•  OLD-CISCO-TS-MIB 

•  RFC1213-MIB  (Functionality  is  as  per  the  agent  capabilities  specified  in  the 
CISCO-RFC  1 2 1 3-CAPABILITYmy.) 

•  RMON-MIB 

•  RMON2-MIB 

•  SNMP-FRAMEWORK-MIB 

•  SNMP-MPD-MIB 

•  SNMP-NOTIFICATION-MIB 

•  SNMP-TARGET-MIB 

•  SNMPv2-MIB 
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•  TCP-MIB 

•  UDP-MIB 

X   

Note      You  can  access  other  information  about  MIBs  and  Cisco  products  on  the  Cisco  web  site: 
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml 


Using  FTP  to  Access  the  MIB  Files 

You  can  get  each  MIB  file  by  using  this  procedure: 
Step  1      Make  sure  that  your  FTP  client  is  in  passive  mode. 

X   

Note      Some  FTP  clients  do  not  support  passive  mode. 

Step  2  Use  FTP  to  access  the  server  ftp.cisco.com. 

Step  3  Log  in  with  the  username  anonymous. 

Step  4  Enter  your  e-mail  username  when  prompted  for  the  password. 

Step  5  At  the  f  tp>  prompt,  change  directories  to  /pub/mibs/vl  and  /pub/mibs/v2. 

Step  6  Use  the  get  MIB _Jilename  command  to  obtain  a  copy  of  the  MIB  file. 
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APPENDIX 


Working  with  the  Cisco  I0S  File  System, 
Configuration  Files,  and  Software  Images 


This  appendix  describes  how  to  manipulate  the  switch  flash  file  system,  how  to  copy  configuration  files, 
and  how  to  archive  (upload  and  download)  software  images  to  a  switch. 

^   

Note      For  complete  syntax  and  usage  information  for  the  commands  used  in  this  chapter,  see  the  switch 

command  reference  for  this  release  and  the  Cisco  IOS  Configuration  Fundamentals  Command 

Reference,  Release  12.2. 

This  appendix  consists  of  these  sections: 

•  Working  with  the  Flash  File  System,  page  B-1 

•  Working  with  Configuration  Files,  page  B-8 

•  Working  with  Software  Images,  page  B-20 

Working  with  the  Flash  File  System 

The  flash  file  system  is  a  single  flash  device  on  which  you  can  store  files.  It  also  provides  several 
commands  to  help  you  manage  software  image  and  configuration  files.  The  default  flash  file  system  on 
the  switch  is  named  flash:. 

These  sections  contain  this  configuration  information: 

•  Displaying  Available  File  Systems,  page  B-2 

•  Setting  the  Default  File  System,  page  B-3 

•  Displaying  Information  about  Files  on  a  File  System,  page  B-3 

•  Creating  and  Removing  Directories,  page  B-4 

•  Copying  Files,  page  B-4 

•  Deleting  Files,  page  B-5 

•  Creating,  Displaying,  and  Extracting  tar  Files,  page  B-5 

•  Displaying  the  Contents  of  a  File,  page  B-8 
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Displaying  Available  File  Systems 

To  display  the  available  file  systems  on  your  switch,  use  the  show  file  systems  privileged  EXEC 
command  as  shown  in  this  example. 

Switch*  show  file  systems 

File  Systems: 


Size (b) 

Free (b) 

Type 

Flags 

Prefixes 

15998976 

5135872 

flash 

rw 

flash: 

opaque 

rw 

bs: 

opaque 

rw 

vb: 

524288 

520138 

nvram 

rw 

nvram : 

network 

rw 

tftp: 

opaque 

rw 

null : 

opaque 

rw 

system: 

opaque 

ro 

xmodem: 

opaque 

ro 

ymodem: 

Table  B-1 

show  file  systems  Field  Descriptions 

Field 

Value 

Size(b) 

Amount  of  memory  in  the  file  system  in  bytes. 

Free(b) 

Amount  of  free  memory  in  the  file  system  in  bytes. 

Type 

Type  of  file  system. 

flash — The  file  system  is  for  a  flash  memory  device, 
nvram — The  file  system  is  for  a  NVRAM  device. 

opaque — The  file  system  is  a  locally  generated  pseudo  file  system  (for  example,  the  system)  or  a  download 
interface,  such  as  brimux. 

unknown — The  file  system  is  an  unknown  type. 

Flags 

Permission  for  file  system, 
ro — read-only, 
rw — read/write, 
wo — write-only. 

Prefixes 

Alias  for  file  system, 
flash: — Flash  file  system, 
nvram: — NVRAM. 

null: — Null  destination  for  copies.  You  can  copy  a  remote  file  to  null  to  find  its  size, 
rep: — Remote  Copy  Protocol  (RCP)  network  server. 

system: — Contains  the  system  memory,  including  the  running  configuration, 
tftp:— TFTP  network  server. 

xmodem: — Obtain  the  file  from  a  network  machine  by  using  the  Xmodem  protocol, 
ymodem: — Obtain  the  file  from  a  network  machine  by  using  the  Ymodem  protocol. 
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Setting  the  Default  File  System 

You  can  specify  the  file  system  or  directory  that  the  system  uses  as  the  default  file  system  by  using  the 
cd  filesystem:  privileged  EXEC  command.  You  can  set  the  default  file  system  to  omit  the  filesystem: 
argument  from  related  commands.  For  example,  for  all  privileged  EXEC  commands  that  have  the 
optional  filesystem:  argument,  the  system  uses  the  file  system  specified  by  the  cd  command. 

By  default,  the  default  file  system  is  flash:. 

You  can  display  the  current  default  file  system  as  specified  by  the  cd  command  by  using  the  pwd 
privileged  EXEC  command. 


Displaying  Information  about  Files  on  a  File  System 

You  can  view  a  list  of  the  contents  of  a  file  system  before  manipulating  its  contents.  For  example,  before 
copying  a  new  configuration  file  to  flash  memory,  you  might  want  to  verify  that  the  file  system  does  not 
already  contain  a  configuration  file  with  the  same  name.  Similarly,  before  copying  a  flash  configuration 
file  to  another  location,  you  might  want  to  verify  its  filename  for  use  in  another  command. 

To  display  information  about  files  on  a  file  system,  use  one  of  the  privileged  EXEC  commands  in 
Table  B-2: 


Table  B-2  Commands  for  Displaying  Information  About  Files 


Command 

Description 

dir  [/all]  \filesystem:]\filename] 

Display  a  list  of  files  on  a  file  system. 

show  file  systems 

Display  more  information  about  each  of  the  files  on  a  file  system. 

show  file  information  file-url 

Display  information  about  a  specific  file. 

show  file  descriptors 

Display  a  list  of  open  file  descriptors.  File  descriptors  are  the  internal  representations 
of  open  files.  You  can  use  this  command  to  see  if  another  user  has  a  file  open. 

Changing  Directories  and  Displaying  the  Working  Directory 


Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  change  directories  and  display  the  working 


directory. 

Command 

Purpose 

Step  1 

dir  filesystem: 

Display  the  directories  on  the  specified  file  system. 

For  filesystem: ,  use  flash:  for  the  system  board  flash  device. 

Step  2 

cd  new_configs 

Change  to  the  directory  of  interest. 

The  command  example  shows  how  to  change  to  the  directory  named 
new_configs. 

Step  3 

pwd 

Display  the  working  directory. 

I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


B-3 


S3 Working  with  the  Flash  File  System 


Appendix  B     Working  with  the  Cisco  IPS  File  System,  Configuration  Files,  and  Software  Images  | 


Creating  and  Removing  Directories 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  create  and  remove  a  directory: 


Command  Purpose 
Step  1      dir  filesystem:  Display  the  directories  on  the  specified  file  system. 

For  filesy stem:,  use  flash:  for  the  system  board  flash  device. 
Step  2     mkdir  old_configs  Create  a  new  directory. 

The  command  example  shows  how  to  create  the  directory  named  old_configs. 

Directory  names  are  case  sensitive. 

Directory  names  are  limited  to  45  characters  between  the  slashes  (/);  the  name 
cannot  contain  control  characters,  spaces,  deletes,  slashes,  quotes,  semicolons, 
or  colons. 

Step  3     dir  filesystem:  Verify  your  entry. 


To  delete  a  directory  with  all  its  files  and  subdirectories,  use  the  delete  /force  /recursive 

filesy  stem:/ file-url  privileged  EXEC  command. 

Use  the  /recursive  keyword  to  delete  the  named  directory  and  all  subdirectories  and  the  files  contained 
in  it.  Use  the  /force  keyword  to  suppress  the  prompting  that  confirms  a  deletion  of  each  file  in  the 
directory.  You  are  prompted  only  once  at  the  beginning  of  this  deletion  process.  Use  the  /force  and 
/recursive  keywords  for  deleting  old  software  images  that  were  installed  by  using  the  archive 
download-sw  command  but  are  no  longer  needed. 

For  filesystem,  use  flash:  for  the  system  board  flash  device.  For  file-url,  enter  the  name  of  the  directory 
to  be  deleted.  All  the  files  in  the  directory  and  the  directory  are  removed. 

A   

Caution      When  files  and  directories  are  deleted,  their  contents  cannot  be  recovered. 


Copying  Files 

To  copy  a  file  from  a  source  to  a  destination,  use  the  copy  source-url  destination-url  privileged  EXEC 
command.  For  the  source  and  destination  URLs,  you  can  use  running-config  and  startup-config 
keyword  shortcuts.  For  example,  the  copy  running-config  startup-config  command  saves  the  currently 
running  configuration  file  to  the  NVRAM  section  of  flash  memory  to  be  used  as  the  configuration  during 
system  initialization. 

You  can  also  copy  from  special  file  systems  (xmodem:,  ymodem:)  as  the  source  for  the  file  from  a 
network  machine  that  uses  the  Xmodem  or  Ymodem  protocol. 

Network  file  system  URLs  include  ftp:,  rep:,  and  tftp:  and  have  these  syntaxes: 

•  FTP — ftp:[[//username  [:password\@ location]/ directory]/ filename 

•  RCP — xcp:\\l I  username@  location]/ directory]/ filename 

•  TFTP — tftp:  [[/ '/location]! '  directory]! filename 
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Local  writable  file  systems  include  flash:. 

Some  invalid  combinations  of  source  and  destination  exist.  Specifically,  you  cannot  copy  these 
combinations: 

•  From  a  running  configuration  to  a  running  configuration 

•  From  a  startup  configuration  to  a  startup  configuration 

•  From  a  device  to  the  same  device  (for  example,  the  copy  flash:  flash:  command  is  invalid) 

For  specific  examples  of  using  the  copy  command  with  configuration  files,  see  the  "Working  with 
Configuration  Files"  section  on  page  B-8. 

To  copy  software  images  either  by  downloading  a  new  version  or  by  uploading  the  existing  one,  use  the 
archive  download-sw  or  the  archive  upload-sw  privileged  EXEC  command.  For  more  information,  see 
the  "Working  with  Software  Images"  section  on  page  B-20. 

Deleting  Files 

When  you  no  longer  need  a  file  on  a  flash  memory  device,  you  can  permanently  delete  it.  To  delete  a 
file  or  directory  from  a  specified  flash  device,  use  the  delete  [/force]  [/recursive]  \filesystem:]lfile-url 
privileged  EXEC  command. 

Use  the  /recursive  keyword  for  deleting  a  directory  and  all  subdirectories  and  the  files  contained  in  it. 
Use  the  /force  keyword  to  suppress  the  prompting  that  confirms  a  deletion  of  each  file  in  the  directory. 
You  are  prompted  only  once  at  the  beginning  of  this  deletion  process.  Use  the  /force  and  /recursive 
keywords  for  deleting  old  software  images  that  were  installed  by  using  the  archive  download-sw 
command  but  are  no  longer  needed. 

If  you  omit  the  file  system:  option,  the  switch  uses  the  default  device  specified  by  the  cd  command.  For 
file-url,  you  specify  the  path  (directory)  and  the  name  of  the  file  to  be  deleted. 

When  you  attempt  to  delete  any  files,  the  system  prompts  you  to  confirm  the  deletion. 


When  files  are  deleted,  their  contents  cannot  be  recovered. 

This  example  shows  how  to  delete  the  file  myconfig  from  the  default  flash  memory  device: 

Switch#  delete  myconfig 

Creating,  Displaying,  and  Extracting  tar  Files 

You  can  create  a  tar  file  and  write  files  into  it,  list  the  files  in  a  tar  file,  and  extract  the  files  from  a  tar 
file  as  described  in  the  next  sections. 


Note      Instead  of  using  the  copy  privileged  EXEC  command  or  the  archive  tar  privileged  EXEC  command,  we 
recommend  using  the  archive  download-sw  and  archive  upload-sw  privileged  EXEC  commands  to 
download  and  upload  software  image  files. 


A 

Caution 
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Creating  a  tar  File 

To  create  a  tar  file  and  write  files  into  it,  use  this  privileged  EXEC  command: 
archive  tar  /create  destination-url  flash \lfile-url 

For  destination-url,  specify  the  destination  URL  alias  for  the  local  or  network  file  system  and  the  name 
of  the  tar  file  to  create.  These  options  are  supported: 

•  For  the  local  flash  file  system,  the  syntax  is 
flash: 

•  For  the  FTP,  the  syntax  is 

ftp:[[y '/username[:password]@ location]! 'directory]! { tar- filename. tar 

•  For  the  RCP,  the  syntax  is 
rcp:[[//username@location]/directory]/tar-filename.tar 

•  For  the  TFTP,  the  syntax  is 
tftp:[[//location]/directory]/tar-fdename.tar 

The  tar- filename. tar  is  the  tar  file  to  be  created. 

For  flash://;7e-Mr/,  specify  the  location  on  the  local  flash  file  system  from  which  the  new  tar  file  is 
created.  You  can  also  specify  an  optional  list  of  files  or  directories  within  the  source  directory  to  write 
to  the  new  tar  file.  If  none  are  specified,  all  files  and  directories  at  this  level  are  written  to  the  newly 
created  tar  file. 

This  example  shows  how  to  create  a  tar  file.  This  command  writes  the  contents  of  the  new-configs 
directory  on  the  local  flash  device  to  a  file  named  saved. tar  on  the  TFTP  server  at  172.20.10.30: 

Switch*  archive  tar  /create  tf tp : 172 . 20 . 10 . 30/saved. tar  flash: /new-configs 

Displaying  the  Contents  of  a  tar  File 

To  display  the  contents  of  a  tar  file  on  the  screen,  use  this  privileged  EXEC  command: 
archive  tar  /table  source-url 

For  source-url,  specify  the  source  URL  alias  for  the  local  or  network  file  system.  These  options  are 
supported: 

•  For  the  local  flash  file  system,  the  syntax  is 
flash: 

•  For  the  FTP,  the  syntax  is 
ftp:[[//username[:password]@ location]! 'directory]! 'tar-filename. tar 

•  For  the  RCP,  the  syntax  is 

rep:  [[I I  username@location]ldirectory]l  tar-filename,  tar 

•  For  the  TFTP,  the  syntax  is 

tftp:  [[/ 'l 'location]! 'directory]! 'tar- filename. tar 

The  tar- filename. tar  is  the  tar  file  to  display. 

You  can  also  limit  the  display  of  the  files  by  specifying  an  optional  list  of  files  or  directories  after  the 
tar  file;  then  only  those  files  appear.  If  none  are  specified,  all  files  and  directories  appear. 
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This  example  shows  how  to  display  the  contents  of  a  switch  tar  file  that  is  in  flash  memory: 


Switch* 
info  (2 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 
cgesm-i 


archive  tar  /table  flash: cgesm-i612-mz . 122-25 . SE1 . tar 

19  bytes) 
612-mz . 122-25 


612-mz. 122-25 
612-mz . 122-25 
612-mz . 122-25 
612-mz . 122-25 


612-mz . 122- 
612-mz . 122- 
612-mz . 122- 


612-mz . 122-25 
612-mz . 122-25 
612-mz . 122-25 
612-mz . 122-25 


612-mz . 122- 
612-mz . 122- 
612-mz . 122- 
612-mz . 122- 
612-mz . 122- 


612-mz. 122-25 
612-mz . 122-25 
612-mz . 122-25 
612-mz . 122-25 
612-mz . 122-25 
612-mz . 122-25 
612-mz . 122-25 
612-mz . 122-25 


. SE1/  (directory) 
. SEl/html/  (directory) 

. SEl/html/troubleshooting_OS.htm  (2508  bytes) 

. SEl/html /helpframework. j s    (858  bytes) 

. SEl/html/topbannernofpv. shtml    (3926  bytes) 

. SEl/html/const .htm   (556  bytes) 

.SEl/html/toolbar. shtml    (8258  bytes) 

. SEl/html /forms. js    (12940  bytes) 

.SEl/html /xhome. htm   (9249  bytes) 

. SEl/html/stylesheet.css    (8273  bytes) 

. SEl/html /menu. js    (7750  bytes) 

.SEl/html /menu. shtml    (4339  bytes) 

. SEl/html /nsback. htm   (42  5  bytes) 

.SEl/html /border. htm   (251  bytes) 

. SEl/html/status .htm   (8107  bytes) 

. SE1 /html / troubleshooting_Browser . htm  (3107  bytes) 
. SEl/html /more . txt   (62  bytes) 
.SEl/html /homepage. htm   (471  bytes) 
. SEl/html /appsui.js    (1389  bytes) 

. SEl/html/troubleshooting_JavaScript .htm   (8065  bytes) 

.SEl/html/title. js    (577  bytes) 

. SEl/html/redirect .htm  (1018  bytes) 

. SEl/html/sorttable . js    (39742  bytes) 

. SEl/html/setup_report .htm  (12461  bytes) 

. SEl/html /empty .htm   (313  bytes) 


This  example  shows  how  to  display  only  the  /html  directory  and  its  contents: 

Switch*  archive  tar  /table  flash : cgesm-i612 -tar . 122 -25 . SE1 . tar  cgesm-i612-mz . 122-25 . SEl/html 


cgesm- 

i612 

-mz 

.  122 

-25 

.SEl/html/  (directory) 

cgesm- 

i612 

-mz 

.  122 

-25. 

. SEl/html/troubleshooting_OS.htm   (2508  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25. 

. SEl/html /helpframework. js    (858  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25. 

.SEl/html/topbannernofpv. shtml    (3926  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25. 

.SEl/html/const. htm   (556  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25  . 

.SEl/html/toolbar. shtml    (8258  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25. 

. SEl/html /forms. js    (12940  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25. 

. SEl/html /xhome .htm  (9249  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25 

.SEl/html/stylesheet.css    (8273  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25. 

. SEl/html /menu. js    (7750  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25. 
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.SEl/html/status. htm   (8107  bytes) 
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. SE1 /html / troubleshooting_Browser . htm  (3107  bytes) 
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-25. 

.SEl/html /more. txt   (62  bytes) 
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.  122 

-25. 

.  SEl/html /homepage .htm  (471  bytes) 
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-mz 

.  122 

-25. 

.SEl/html /appsui.js    (1389  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25. 

. SEl/html/troubleshooting_JavaScript .htm   (8065  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25. 

.SEl/html/title. js    (577  bytes) 
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i612 

-mz 

.  122 

-25. 

.SEl/html/redirect. htm   (1018  bytes) 

cgesm- 

i612 

-mz 

.  122 

-25. 

.SEl/html/sorttable. js    (39742  bytes) 
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-mz 

.  122 

-25. 

. SEl/html/setup_report .htm   (12461  bytes) 
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i612 

-mz 

.  122 

-25  . 

. SEl/html /empty .htm   (313  bytes) 
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i612 

-mz 

.  122 

-25. 

.SEl/html/pref light. js    (14442  bytes) 
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-mz 

.  122 

-25. 

. SEl/html/sitewide. js    (17408  bytes) 
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Extracting  a  tar  File 

To  extract  a  tar  file  into  a  directory  on  the  flash  file  system,  use  this  privileged  EXEC  command: 
archive  tar  /xtract  source-url  flash:/file-url  [dir/file...] 

For  source-url,  specify  the  source  URL  alias  for  the  local  file  system.  These  options  are  supported: 

•  For  the  local  flash  file  system,  the  syntax  is 
flash: 

•  For  the  FTP,  the  syntax  is 
itp:[[llusername[:password\@locatiori\l  directory]/ tar-filename.tar 

•  For  the  RCP,  the  syntax  is 
rcp:[[//username@location]/directory]/tar-filename.tar 

•  For  the  TFTP,  the  syntax  is 
tftp:[[//location]/directory]/tar-fdename.tar 

The  tar- filename. tar  is  the  tar  file  from  which  to  extract  files. 

For  Uash:/file-url  [dir/file...],  specify  me  location  on  the  local  flash  file  system  into  which  the  tar  file  is 
extracted.  Use  the  dir/file...  option  to  specify  an  optional  list  of  files  or  directories  within  the  tar  file  to 
be  extracted.  If  none  are  specified,  all  files  and  directories  are  extracted. 

This  example  shows  how  to  extract  the  contents  of  a  tar  file  located  on  the  TFTP  server  at  172.20.10.30. 
This  command  extracts  just  the  new-configs  directory  into  the  root  directory  on  the  local  flash  file 
system.  The  remaining  files  in  the  saved. tar  file  are  ignored. 

Switch*  archive  tar  /xtract  tf tp : /172 . 20 . 10 . 30/saved. tar  flash: /new-configs 


Displaying  the  Contents  of  a  File 


To  display  the  contents  of  any  readable  file,  including  a  file  on  a  remote  file  system,  use  the  more  [/ascii 
I  /binary  I  /ebcdic]  file-url  privileged  EXEC  command:. 

This  example  shows  how  to  display  the  contents  of  a  configuration  file  on  a  TFTP  server: 

Switch*  more  tftp: //serverA/hampton/savedconf ig 

Saved  configuration  on  server 
version  11.3 

service  timestamps  log  datetime  localtime 

service  linenumber 

service  udp-small-servers 

service  pt-vty-logging 

i 

<output  truncated> 


Working  with  Configuration  Files 

This  section  describes  how  to  create,  load,  and  maintain  configuration  files. 

Configuration  files  contain  commands  entered  to  customize  the  function  of  the  Cisco  IOS  software.  A 
way  to  create  a  basic  configuration  file  is  to  use  the  setup  program  or  to  enter  the  setup  privileged  EXEC 
command.  For  more  information,  see  Chapter  3,  "Assigning  the  Switch  IP  Address  and  Default 
Gateway." 
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Working  with  Configuration  Files  I 


You  can  copy  (download)  configuration  files  from  a  TFTP,  FTP,  or  RCP  server  to  the  running 
configuration  or  startup  configuration  of  the  switch.  You  might  want  to  perform  this  for  one  of  these 
reasons: 

•  To  restore  a  backed-up  configuration  file. 

•  To  use  the  configuration  file  for  another  switch.  For  example,  you  might  add  another  switch  to  your 
network  and  want  it  to  have  a  configuration  similar  to  the  original  switch.  By  copying  the  file  to  the 
new  switch,  you  can  change  the  relevant  parts  rather  than  recreating  the  whole  file. 

•  To  load  the  same  configuration  commands  on  all  the  switches  in  your  network  so  that  all  the 
switches  have  similar  configurations. 

You  can  copy  (upload)  configuration  files  from  the  switch  to  a  file  server  by  using  TFTP,  FTP,  or  RCP. 
You  might  perform  this  task  to  back  up  a  current  configuration  file  to  a  server  before  changing  its 
contents  so  that  you  can  later  restore  the  original  configuration  file  from  the  server. 

The  protocol  you  use  depends  on  which  type  of  server  you  are  using.  The  FTP  and  RCP  transport 
mechanisms  provide  faster  performance  and  more  reliable  delivery  of  data  than  TFTP.  These 
improvements  are  possible  because  FTP  and  RCP  are  built  on  and  use  the  TCP/IP  stack,  which  is 
connection-oriented. 

On  a  CGESM  switch,  which  does  not  initially  obtain  its  running  configuration  from  the  file 
flash:config.text,  port  s  17  and  18  initialize  to  the  shutdown  state  and  remain  that  way  until  you  enter 
the  no  shutdown  interface  configuration  command  on  these  interfaces.  To  automatically  enable  ports 
17  and  18,  the  file  from  which  the  running  configuration  is  obtained  must  explicitly  provide  the  no 
shutdown  configuration  command  for  ports  17  and  18.  To  do  this,  you  need  to  use  your  PC  or 
workstation  text  editor  to  manually  add  the  no  shutdown  configuration  command  in  the  configuration 
sections  for  ports  17  and  18,  and  then  save  these  changes. 

X   

Note      You  cannot  edit  files  that  are  stored  on  the  CGESM  flash  by  using  a  PC  or  workstation  text  editor. 

To  manually  edit  files  on  the  CGESM  flash,  copy  the  file  from  the  CGESM  flash  to  a  server  by  using 
TFTP,  FTP  or  RCP.  Use  your  workstation  or  PC  text  editor  to  edit  and  save  the  file,  then  copy  the 
modified  file  from  the  server  to  the  CGESM  flash. 


X   

Note      When  you  display  the  contents  of  this  new  running  configuration  file,  it  will  show  !  following  port  17 
and  port  18.  The  ports  are  now  set  to  no  shutdown,  but  the  parameter  no  shutdown  does  not  display 
because  no  shutdown  is  the  Cisco  IOS  default. 


This  example  shows  the  configuration  file  that  by  default  enables  shutdown  on  ports  17  and  18  before 
you  have  copied  the  new  configuration  text  file  to  the  running  configuration  file: 

Loading  config  from  tftp  server: 

Default  config  file: 

j 

interface  GigabitEthernetO/17 

These  sections  contain  this  configuration  information: 

•  Guidelines  for  Creating  and  Using  Configuration  Files,  page  B-10 

•  Configuration  File  Types  and  Location,  page  B-10 

•  Creating  a  Configuration  File  By  Using  a  Text  Editor,  page  B-l  1 

•  Copying  Configuration  Files  By  Using  TFTP,  page  B-ll 

•  Copying  Configuration  Files  By  Using  FTP,  page  B-l 3 
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•  Copying  Configuration  Files  By  Using  RCP,  page  B-17 

•  Clearing  Configuration  Information,  page  B-20 


Guidelines  for  Creating  and  Using  Configuration  Files 


Creating  configuration  files  can  aid  in  your  switch  configuration.  Configuration  files  can  contain  some 
or  all  of  the  commands  needed  to  configure  one  or  more  switches.  For  example,  you  might  want  to 
download  the  same  configuration  file  to  several  switches  that  have  the  same  hardware  configuration. 

Use  these  guidelines  when  creating  a  configuration  file: 

•  We  recommend  that  you  connect  through  the  console  port  for  the  initial  configuration  of  the  switch. 
If  you  are  accessing  the  switch  through  a  network  connection  instead  of  through  a  direct  connection 
to  the  console  port,  keep  in  mind  that  some  configuration  changes  (such  as  changing  the  switch  IP 
address  or  disabling  ports)  can  cause  a  loss  of  connectivity  to  the  switch. 

•  If  no  password  has  been  set  on  the  switch,  we  recommend  that  you  set  one  by  using  the  enable  secret 

secret-password  global  configuration  command. 


Note      The  copy  {ftp:  I  rep:  I  tftp:}  system:running-config  privileged  EXEC  command  loads  the 

configuration  files  on  the  switch  as  if  you  were  entering  the  commands  at  the  command  line.  The  switch 
does  not  erase  the  existing  running  configuration  before  adding  the  commands.  If  a  command  in  the 
copied  configuration  file  replaces  a  command  in  the  existing  configuration  file,  the  existing  command 
is  erased.  For  example,  if  the  copied  configuration  file  contains  a  different  IP  address  in  a  particular 
command  than  the  existing  configuration,  the  IP  address  in  the  copied  configuration  is  used.  However, 
some  commands  in  the  existing  configuration  might  not  be  replaced  or  negated.  In  this  case,  the  resulting 
configuration  file  is  a  mixture  of  the  existing  configuration  file  and  the  copied  configuration  file,  with 
the  copied  configuration  file  having  precedence. 

To  restore  a  configuration  file  to  an  exact  copy  of  a  file  stored  on  a  server,  copy  the  configuration  file 
directly  to  the  startup  configuration  (by  using  the  copy  {ftp:  I  rep:  I  tftp:}  nvram:startup-config 
privileged  EXEC  command),  and  reload  the  switch. 


Startup  configuration  files  are  used  during  system  startup  to  configure  the  software.  Running 
configuration  files  contain  the  current  configuration  of  the  software.  The  two  configuration  files  can  be 
different.  For  example,  you  might  want  to  change  the  configuration  for  a  short  time  period  rather  than 
permanently.  In  this  case,  you  would  change  the  running  configuration  but  not  save  the  configuration  by 
using  the  copy  running-config  startup-config  privileged  EXEC  command. 

The  running  configuration  is  saved  in  DRAM;  the  startup  configuration  is  stored  in  the  NVRAM  section 
of  flash  memory. 


X 


Configuration 


File  Types  and  Location 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


I  Appendix  B    Working  with  the  Cisco  IPS  File  System,  Configuration  Files,  and  Software  Images 


Working  with  Configuration  Files  I 


Creating  a  Configuration  File  By  Using  a  Text  Editor 

When  creating  a  configuration  file,  you  must  list  commands  logically  so  that  the  system  can  respond 
appropriately.  This  is  one  method  of  creating  a  configuration  file: 

Step  1      Copy  an  existing  configuration  from  a  switch  to  a  server. 

For  more  information,  see  the  "Downloading  the  Configuration  File  By  Using  TFTP"  section  on 
page  B-12,  the  "Downloading  a  Configuration  File  By  Using  FTP"  section  on  page  B-14,  or  the 
"Downloading  a  Configuration  File  By  Using  RCP"  section  on  page  B-18. 

Step  2      Open  the  configuration  file  in  a  text  editor,  such  as  vi  or  emacs  on  UNIX  or  Notepad  on  a  PC. 

Step  3      Extract  the  portion  of  the  configuration  file  with  the  desired  commands,  and  save  it  in  a  new  file. 

Step  4      Copy  the  configuration  file  to  the  appropriate  server  location.  For  example,  copy  the  file  to  the  TFTP 
directory  on  the  workstation  (usually  /tftpboot  on  a  UNIX  workstation). 

Step  5      Make  sure  the  permissions  on  the  file  are  set  to  world-read. 


Copying  Configuration  Files  By  Using  TFTP 

You  can  configure  the  switch  by  using  configuration  files  you  create,  download  from  another  switch,  or 
download  from  a  TFTP  server.  You  can  copy  (upload)  configuration  files  to  a  TFTP  server  for  storage. 

These  sections  contain  this  configuration  information: 

•  Preparing  to  Download  or  Upload  a  Configuration  File  By  Using  TFTP,  page  B-l  1 

•  Downloading  the  Configuration  File  By  Using  TFTP,  page  B-12 

•  Uploading  the  Configuration  File  By  Using  TFTP,  page  B-12 

Preparing  to  Download  or  Upload  a  Configuration  File  By  Using  TFTP 

Before  you  begin  downloading  or  uploading  a  configuration  file  by  using  TFTP,  do  these  tasks: 

•  Ensure  that  the  workstation  acting  as  the  TFTP  server  is  properly  configured.  On  a  Sun  workstation, 
make  sure  that  the  /etc/inetd.conf  file  contains  this  line: 

tftp  dgram  udp  wait  root  /usr/etc/in. tf tpd  in.tftpd  -p  -s  /tftpboot 

Make  sure  that  the  /etc/services  file  contains  this  line: 

tftp  69/udp 

X   

Note     You  must  restart  the  inetd  daemon  after  modifying  the  /etc/inetd.conf  and  /etc/services  files. 
To  restart  the  daemon,  either  stop  the  inetd  process  and  restart  it,  or  enter  a  fastboot 
command  (on  the  SunOS  4.x)  or  a  reboot  command  (on  Solaris  2.x  or  SunOS  5.x).  For  more 
information  on  the  TFTP  daemon,  see  the  documentation  for  your  workstation. 

•  Ensure  that  the  switch  has  a  route  to  the  TFTP  server.  The  switch  and  the  TFTP  server  must  be  in 
the  same  subnetwork  if  you  do  not  have  a  router  to  route  traffic  between  subnets.  Check  connectivity 
to  the  TFTP  server  by  using  the  ping  command. 
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•  Ensure  that  the  configuration  file  to  be  downloaded  is  in  the  correct  directory  on  the  TFTP  server 
(usually  /tftpboot  on  a  UNIX  workstation). 

•  For  download  operations,  ensure  that  the  permissions  on  the  file  are  set  correctly.  The  permission 
on  the  file  should  be  world-read. 

•  Before  uploading  the  configuration  file,  you  might  need  to  create  an  empty  file  on  the  TFTP  server. 
To  create  an  empty  file,  enter  the  touch  filename  command,  where  filename  is  the  name  of  the  file 
you  will  use  when  uploading  it  to  the  server. 

•  During  upload  operations,  if  you  are  overwriting  an  existing  file  (including  an  empty  file,  if  you  had 
to  create  one)  on  the  server,  ensure  that  the  permissions  on  the  file  are  set  correctly.  Permissions  on 
the  file  should  be  world-write. 

Downloading  the  Configuration  File  By  Using  TFTP 

To  configure  the  switch  by  using  a  configuration  file  downloaded  from  a  TFTP  server,  follow  these 
steps: 

Copy  the  configuration  file  to  the  appropriate  TFTP  directory  on  the  workstation. 

Verify  that  the  TFTP  server  is  properly  configured  by  referring  to  the  "Preparing  to  Download  or  Upload 
a  Configuration  File  By  Using  TFTP"  section  on  page  B-ll. 

Log  into  the  switch  through  the  console  port  or  a  Telnet  session. 

Download  the  configuration  file  from  the  TFTP  server  to  configure  the  switch. 

Specify  the  IP  address  or  hostname  of  the  TFTP  server  and  the  name  of  the  file  to  download. 

Use  one  of  these  privileged  EXEC  commands: 

•  copy  tftp:[[[/ 7 'location]! ' directory}! filename]  system:running-config 

•  copy  t(tp:[[[// location]/ 'directory]! filename]  nvram:startup-config 
The  configuration  file  downloads,  and  the  commands  are  executed  as  the  file  is  parsed  line-by-line. 


This  example  shows  how  to  configure  the  software  from  the  file  tokyo-confg  at  IP  address  172.16.2.155: 

Switch#  copy  tf tp : //172 . 16 . 2 . 155/tokyo-conf g  system: running-conf ig 

Configure  using  tokyo-confg  from  172.16.2.155?    [confirm]  y 
Booting  tokyo-confg  from  172.16.2.155:!!!    [OK  -   874/16000  bytes] 

Uploading  the  Configuration  File  By  Using  TFTP 

To  upload  a  configuration  file  from  a  switch  to  a  TFTP  server  for  storage,  follow  these  steps: 

Step  1      Verify  that  the  TFTP  server  is  properly  configured  by  referring  to  the  "Preparing  to  Download  or  Upload 
a  Configuration  File  By  Using  TFTP"  section  on  page  B-ll. 

Step  2      Log  into  the  switch  through  the  console  port  or  a  Telnet  session. 


Step  1 
Step  2 

Step  3 
Step  4 
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Working  with  Configuration  Files  II 


Step  3      Upload  the  switch  configuration  to  the  TFTP  server.  Specify  the  IP  address  or  hostname  of  the  TFTP 
server  and  the  destination  filename. 

Use  one  of  these  privileged  EXEC  commands: 

•  copy  system:running-config  tit\>:[[[lllocation]ldirectory]l filename] 

•  copy  nvram:startup-config  tftp:[[[//location]/directory]/filename] 
The  file  is  uploaded  to  the  TFTP  server. 


This  example  shows  how  to  upload  a  configuration  file  from  a  switch  to  a  TFTP  server: 

Switch#  copy  system: running-conf ig  tf tp : //172 . 16 . 2 . 155/tokyo-conf g 

Write  file  tokyo-conf g  on  host  172.16.2.155?    [confirm]  y 
# 

Writing  tokyo-conf g !! !  [OK] 

Copying  Configuration  Files  By  Using  FTP 

You  can  copy  configuration  files  to  or  from  an  FTP  server. 

The  FTP  protocol  requires  a  client  to  send  a  remote  username  and  password  on  each  FTP  request  to  a 
server.  When  you  copy  a  configuration  file  from  the  switch  to  a  server  by  using  FTP,  the  Cisco  IOS 
software  sends  the  first  valid  username  in  this  list: 

•  The  username  specified  in  the  copy  command  if  a  username  is  specified. 

•  The  username  set  by  the  ip  ftp  username  username  global  configuration  command  if  the  command 
is  configured. 

•  Anonymous. 

The  switch  sends  the  first  valid  password  in  this  list: 

•  The  password  specified  in  the  copy  command  if  a  password  is  specified. 

•  The  password  set  by  the  ip  ftp  password  password  global  configuration  command  if  the  command 
is  configured. 

•  The  switch  forms  a  password  named  username® switchname. domain.  The  variable  username  is  the 
username  associated  with  the  current  session,  switchname  is  the  configured  hostname,  and  domain 
is  the  domain  of  the  switch. 

The  username  and  password  must  be  associated  with  an  account  on  the  FTP  server.  If  you  are  writing  to 
the  server,  the  FTP  server  must  be  properly  configured  to  accept  your  FTP  write  request. 

Use  the  ip  ftp  username  and  ip  ftp  password  commands  to  specify  a  username  and  password  for  all 
copies.  Include  the  username  in  the  copy  command  if  you  want  to  specify  only  a  username  for  that  copy 
operation. 

If  the  server  has  a  directory  structure,  the  configuration  file  is  written  to  or  copied  from  the  directory 
associated  with  the  username  on  the  server.  For  example,  if  the  configuration  file  resides  in  the  home 
directory  of  a  user  on  the  server,  specify  that  user's  name  as  the  remote  username. 

For  more  information,  see  the  documentation  for  your  FTP  server. 
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These  sections  contain  this  configuration  information: 

•  Preparing  to  Download  or  Upload  a  Configuration  File  By  Using  FTP,  page  B-14 

•  Downloading  a  Configuration  File  By  Using  FTP,  page  B-14 

•  Uploading  a  Configuration  File  By  Using  FTP,  page  B-15 

Preparing  to  Download  or  Upload  a  Configuration  File  By  Using  FTP 

Before  you  begin  downloading  or  uploading  a  configuration  file  by  using  FTP,  do  these  tasks: 

•  Ensure  that  the  switch  has  a  route  to  the  FTP  server.  The  switch  and  the  FTP  server  must  be  in  the 
same  subnetwork  if  you  do  not  have  a  router  to  route  traffic  between  subnets.  Check  connectivity  to 
the  FTP  server  by  using  the  ping  command. 

•  If  you  are  accessing  the  switch  through  the  console  or  a  Telnet  session  and  you  do  not  have  a  valid 
username,  make  sure  that  the  current  FTP  username  is  the  one  that  you  want  to  use  for  the  FTP 
download.  You  can  enter  the  show  users  privileged  EXEC  command  to  view  the  valid  username.  If 
you  do  not  want  to  use  this  username,  create  a  new  FTP  username  by  using  the  ip  ftp  username 
username  global  configuration  command  during  all  copy  operations.  The  new  username  is  stored  in 
NVRAM.  If  you  are  accessing  the  switch  through  a  Telnet  session  and  you  have  a  valid  username, 
this  username  is  used,  and  you  do  not  need  to  set  the  FTP  username.  Include  the  username  in  the 
copy  command  if  you  want  to  specify  a  username  for  only  that  copy  operation. 

•  When  you  upload  a  configuration  file  to  the  FTP  server,  it  must  be  properly  configured  to  accept  the 
write  request  from  the  user  on  the  switch. 

For  more  information,  see  the  documentation  for  your  FTP  server. 

Downloading  a  Configuration  File  By  Using  FTP 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  download  a  configuration  file  by  using  FTP: 


Step  1 

Step  2 
Step  3 


Step  4 
Step  5 


Command 

Purpose 

Verify  that  the  FTP  server  is  properly  configured  by 
referring  to  the  "Preparing  to  Download  or  Upload  a 
Configuration  File  By  Using  FTP"  section  on  page  B-14. 

Log  into  the  switch  through  the  console  port  or  a  Telnet 
session. 

configure  terminal 

Enter  global  configuration  mode  on  the  switch. 

This  step  is  required  only  if  you  override  the  default  remote 
username  or  password  (see  Steps  4,  5,  and  6). 

ip  ftp  username  username 

(Optional)  Change  the  default  remote  username. 

ip  ftp  password  password 

(Optional)  Change  the  default  password. 
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Command 

Purpose 

end 

Return  to  privileged  EXEC  mode. 

copy 

ftp :  [  [  [//[username  [  '.password]  @  ]  location]/ directory] 
/filename]  system:running-config 

or 

copy 

ftp :  [  [  [/ '/[username[:password]@]location]l 'directory] 
/filename]  nvram:startup-config 

Using  FTP,  copy  the  configuration  file  from  a  network 
server  to  the  running  configuration  or  to  the  startup 
configuration  file. 

This  example  shows  how  to  copy  a  configuration  file  named  hostl-confg  from  the  netadminl  directory 
on  the  remote  server  with  an  IP  address  of  172.16.101.101  and  to  load  and  run  those  commands  on  the 
switch: 

Switch#  copy  ftp : //netadminl :mypass@172 . 16 . 101 . 101/hostl-conf g  system: running-config 

Configure  using  hostl-confg  from  172.16.101.101?  [confirm] 

Connected  to  172.16.101.101 

Loading  1112  byte  file  hostl-confg :! [OK] 

Switch* 

%SYS-5-CONFIG:   Configured  from  hostl-config  by  ftp  from  172.16.101.101 


This  example  shows  how  to  specify  a  remote  username  of  netadminl .  The  software  copies  the 
configuration  file  host2-confg  from  the  netadminl  directory  on  the  remote  server  with  an  IP  address 
of  172.16.101.101  to  the  switch  startup  configuration. 

Switch*  configure  terminal 

Switch (config) #  ip  ftp  username  netadminl 
Switch(conf ig) #  ip  ftp  password  mypass 

Switch (config) #  end 

Switch#  copy  ftp:  nvram: startup-conf ig 

Address  of  remote  host   [255.255.255.255]?  172.16.101.101 
Name  of  configuration  f ile [rtr2-confg] ?  host2-confg 

Configure  using  host2-confg  from  172 . 16 . 101 . 101? [confirm] 
Connected  to  172.16.101.101 
Loading  1112  byte  file  host2 -conf g : ! [OK] 
[OK] 

Switch* 

%SYS-5-CONFIG_NV:Non-volatile  store  configured  from  host2-config  by  ftp  from 
172 . 16 . 101 . 101 

Uploading  a  Configuration  File  By  Using  FTP 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  upload  a  configuration  file  by  using  FTP: 


Command 

Purpose 

Verify  that  the  FTP  server  is  properly  configured  by 
referring  to  the  "Preparing  to  Download  or  Upload  a 
Configuration  File  By  Using  FTP"  section  on  page  B-14. 

Log  into  the  switch  through  the  console  port  or  a  Telnet 
session. 
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Command 
Step  3     configure  terminal 


Step  4  ip  ftp  username  username 
Step  5  ip  ftp  password  password 
Step  6  end 

Step  7     copy  system:running-config 

ftp:[[[//[username[:password]@]location]/directory] 
/filename] 

or 

copy  nvram:startup-config 

ftp:[[[/ '/[username[:password]@]location]l 'directory] 
/filename] 


Purpose 

Enter  global  configuration  mode. 

This  step  is  required  only  if  you  override  the  default  remote 
username  or  password  (see  Steps  4,  5,  and  6). 

(Optional)  Change  the  default  remote  username. 

(Optional)  Change  the  default  password. 

Return  to  privileged  EXEC  mode. 

Using  FTP,  store  the  switch  running  or  startup  configuration 
file  to  the  specified  location. 


This  example  shows  how  to  copy  the  running  configuration  file  named  switch2-confg  to  the  netadminl 
directory  on  the  remote  host  with  an  IP  address  of  172.16.101.101: 

Switch*  copy  system: running-conf ig  ftp : //netadminl :mypass@172 . 16 . 101 . 101/switch2-confg 

Write  file  switch2 -conf g  on  host  172 . 16 . 101 . 101? [confirm] 
Building  configuration. . . [OK] 
Connected  to  172.16.101.101 
Switch* 

This  example  shows  how  to  store  a  startup  configuration  file  on  a  server  by  using  FTP  to  copy  the  file: 

Switch*  configure  terminal 

Switch (conf ig) #  ip  ftp  username  netadmin2 

Switch (conf ig) #  ip  ftp  password  mypass 

Switch (conf ig) #  end 

Switch*  copy  nvram: startup-conf ig  ftp: 

Remote  host [ ] ?  172.16.101.101 

Name  of  configuration  file  to  write   [switch2-confg] ? 
Write  file  switch2-confg  on  host  172 . 16 . 101 . 101? [conf irm] 
!  [OK] 
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Copying  Configuration  Files  By  Using  RCP 

The  RCP  provides  another  method  of  downloading,  uploading,  and  copying  configuration  files  between 
remote  hosts  and  the  switch.  Unlike  TFTP,  which  uses  User  Datagram  Protocol  (UDP),  a  connectionless 
protocol,  RCP  uses  TCP,  which  is  connection-oriented. 

To  use  RCP  to  copy  files,  the  server  from  or  to  which  you  will  be  copying  files  must  support  RCP.  The 
RCP  copy  commands  rely  on  the  rsh  server  (or  daemon)  on  the  remote  system.  To  copy  files  by  using 
RCP,  you  do  not  need  to  create  a  server  for  file  distribution  as  you  do  with  TFTP.  You  only  need  to  have 
access  to  a  server  that  supports  the  remote  shell  (rsh).  (Most  UNIX  systems  support  rsh.)  Because  you 
are  copying  a  file  from  one  place  to  another,  you  must  have  read  permission  on  the  source  file  and  write 
permission  on  the  destination  file.  If  the  destination  file  does  not  exist,  RCP  creates  it  for  you. 

The  RCP  requires  a  client  to  send  a  remote  username  with  each  RCP  request  to  a  server.  When  you  copy 
a  configuration  file  from  the  switch  to  a  server,  the  Cisco  IOS  software  sends  the  first  valid  username  in 
this  list: 

•  The  username  specified  in  the  copy  command  if  a  username  is  specified. 

•  The  username  set  by  the  ip  rcmd  remote-username  username  global  configuration  command  if  the 
command  is  configured. 

•  The  remote  username  associated  with  the  current  TTY  (terminal)  process.  For  example,  if  the  user 
is  connected  to  the  router  through  Telnet  and  was  authenticated  through  the  username  command, 
the  switch  software  sends  the  Telnet  username  as  the  remote  username. 

•  The  switch  hostname. 

For  a  successful  RCP  copy  request,  you  must  define  an  account  on  the  network  server  for  the  remote 
username.  If  the  server  has  a  directory  structure,  the  configuration  file  is  written  to  or  copied  from  the 
directory  associated  with  the  remote  username  on  the  server.  For  example,  if  the  configuration  file  is  in 
the  home  directory  of  a  user  on  the  server,  specify  that  user's  name  as  the  remote  username. 

These  sections  contain  this  configuration  information: 

•  Preparing  to  Download  or  Upload  a  Configuration  File  By  Using  RCP,  page  B-17 

•  Downloading  a  Configuration  File  By  Using  RCP,  page  B-18 

•  Uploading  a  Configuration  File  By  Using  RCP,  page  B-19 

Preparing  to  Download  or  Upload  a  Configuration  File  By  Using  RCP 

Before  you  begin  downloading  or  uploading  a  configuration  file  by  using  RCP,  do  these  tasks: 

•  Ensure  that  the  workstation  acting  as  the  RCP  server  supports  the  remote  shell  (rsh). 

•  Ensure  that  the  switch  has  a  route  to  the  RCP  server.  The  switch  and  the  server  must  be  in  the  same 
subnetwork  if  you  do  not  have  a  router  to  route  traffic  between  subnets.  Check  connectivity  to  the 
RCP  server  by  using  the  ping  command. 

•  If  you  are  accessing  the  switch  through  the  console  or  a  Telnet  session  and  you  do  not  have  a  valid 
username,  make  sure  that  the  current  RCP  username  is  the  one  that  you  want  to  use  for  the  RCP 
download.  You  can  enter  the  show  users  privileged  EXEC  command  to  view  the  valid  username.  If 
you  do  not  want  to  use  this  username,  create  a  new  RCP  username  by  using  the  ip  rcmd 
remote-username  username  global  configuration  command  to  be  used  during  all  copy  operations. 
The  new  username  is  stored  in  NVRAM.  If  you  are  accessing  the  switch  through  a  Telnet  session 
and  you  have  a  valid  username,  this  username  is  used,  and  you  do  not  need  to  set  the  RCP  username. 
Include  the  username  in  the  copy  command  if  you  want  to  specify  a  username  for  only  that  copy 
operation. 
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•    When  you  upload  a  file  to  the  RCP  server,  it  must  be  properly  configured  to  accept  the  RCP  write 
request  from  the  user  on  the  switch.  For  UNIX  systems,  you  must  add  an  entry  to  the  .rhosts  file  for 
the  remote  user  on  the  RCP  server.  For  example,  suppose  that  the  switch  contains  these 
configuration  lines: 

hostname  Switchl 

ip  rcmd  remote-username  UserO 

If  the  switch  IP  address  translates  to  Switchl .company.com,  the  .rhosts  file  for  UserO  on  the  RCP 
server  should  contain  this  line: 

Switchl.company.com  Switchl 

For  more  information,  see  the  documentation  for  your  RCP  server. 


Downloading  a  Configuration  File  By  Using  RCP 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  download  a  configuration  file  by  using  RCP: 


Command 

Purpose 

Step  1 

Verify  that  the  RCP  server  is  properly  configured  by 
referring  to  the  "Preparing  to  Download  or  Upload  a 
Configuration  File  By  Using  RCP"  section  on  page  B-17. 

Step  2 

Log  into  the  switch  through  the  console  port  or  a  Telnet 
session. 

Step  3 

configure  terminal 

Enter  global  configuration  mode. 

This  step  is  required  only  if  you  override  the  default  remote 
username  (see  Steps  4  and  5). 

Step  4 

ip  rcmd  remote-username  username 

(Optional)  Specify  the  remote  username. 

Step  5 

end 

Return  to  privileged  EXEC  mode. 

Step  6 

copy 

rcp:[[[//[username@]location]/directory]/filename] 
system:running-config 

or 

copy 

rcp:[[[//[username@]location]/directory]/filename] 
nvram:startup-config 

Using  RCP,  copy  the  configuration  file  from  a  network 
server  to  the  running  configuration  or  to  the  startup 
configuration  file. 

This  example  shows  how  to  copy  a  configuration  file  named  hostl-confg  from  the  netadminl  directory 
on  the  remote  server  with  an  IP  address  of  172.16.101.101  and  load  and  run  those  commands  on  the 
switch: 

Switch#  copy  rep : //netadminl@172 . 16 . 101 . 101/hostl-conf g  system: running-config 

Configure  using  hostl-confg  from  172.16.101.101?  [confirm] 

Connected  to  172.16.101.101 

Loading  1112  byte  file  hostl-confg :! [OK] 

Switch* 

%SYS-5-CONFIG:   Configured  from  hostl-config  by  rep  from  172.16.101.101 
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This  example  shows  how  to  specify  a  remote  username  of  netadminl .  Then  it  copies  the  configuration 
file  host2-confg  from  the  netadminl  directory  on  the  remote  server  with  an  IP  address  of  172.16.101.101 
to  the  startup  configuration: 

Switch#  configure  terminal 

Switch (config) #  ip  rcmd  remote-username  netadminl 

Switch (config) #  end 

Switch*  copy  rep:  nvram: startup-conf ig 

Address  of  remote  host   [255.255.255.255]?  172.16.101.101 
Name  of  configuration  f ile [rtr2-confg] ?  host2-confg 

Configure  using  host2-confg  from  172 . 16 . 101 . 101? [confirm] 
Connected  to  172.16.101.101 
Loading  1112  byte  file  host2 -conf g : ! [OK] 
[OK] 

Switch* 

%SYS-5-CONFIG_NV:Non-volatile  store  configured  from  host2-config  by  rep  from 
172 . 16 . 101 . 101 

Uploading  a  Configuration  File  By  Using  RCP 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  upload  a  configuration  file  by  using  RCP: 


Step  1 

Step  2 
Step  3 


Step  4 
Step  5 
Step  6 


Command 

Purpose 

Verify  that  the  RCP  server  is  properly  configured  by 
referring  to  the  "Preparing  to  Download  or  Upload  a 
Configuration  File  By  Using  RCP"  section  on  page  B-17. 

Log  into  the  switch  through  the  console  port  or  a  Telnet 
session. 

configure  terminal 

Enter  global  configuration  mode. 

This  step  is  required  only  if  you  override  the  default  remote 
username  (see  Steps  4  and  5). 

ip  rcmd  remote-username  username 

(Optional)  Specify  the  remote  username. 

end 

Return  to  privileged  EXEC  mode. 

copy  system:running-config 

rcp:[[[//[usemame@]location]/directory]/filename] 
or 

copy  nvram:startup-config 

rcp:[[[//[usemame@]location]/directory]/filename] 

Using  RCP,  copy  the  configuration  file  from  a  switch 
running  or  startup  configuration  file  to  a  network  server. 

This  example  shows  how  to  copy  the  running  configuration  file  named  switch2-confg  to  the  netadminl 
directory  on  the  remote  host  with  an  IP  address  of  172.16.101.101: 

Switch*  copy  system: running-conf ig  rep : //netadminl@172 . 16 . 101 . 101/switch2-conf g 

Write  file  switch-confg  on  host  172 . 16 . 101 . 101? [conf irm] 
Building  configuration. . . [OK] 
Connected  to  172.16.101.101 
Switch* 

This  example  shows  how  to  store  a  startup  configuration  file  on  a  server: 

Switch*  configure  terminal 

Switch (conf ig) #  ip  rcmd  remote-username  netadmin2 

Switch (conf ig) #  end 
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Switch*  copy  nvram: startup-conf ig  rep: 

Remote  host[]?  172.16.101.101 

Name  of  configuration  file  to  write   [switch2-confg] ? 
Write  file  switch2-confg  on  host  172 . 16 . 101 . 101? [confirm] 
!  [OK] 

Clearing  Configuration  Information 

You  can  clear  the  configuration  information  from  the  startup  configuration.  If  you  reboot  the  switch  with 
no  startup  configuration,  the  switch  enters  the  setup  program  so  that  you  can  reconfigure  the  switch  with 
all  new  settings. 

Clearing  the  Startup  Configuration  File 

To  clear  the  contents  of  your  startup  configuration,  use  the  erase  nvram:  or  the  erase  startup-config 
privileged  EXEC  command. 

A   

Caution      You  cannot  restore  the  startup  configuration  file  after  it  has  been  deleted. 


Deleting  a  Stored  Configuration  File 

To  delete  a  saved  configuration  from  flash  memory,  use  the  delete  flash-.filename  privileged  EXEC 
command.  Depending  on  the  setting  of  the  file  prompt  global  configuration  command,  you  might  be 
prompted  for  confirmation  before  you  delete  a  file.  By  default,  the  switch  prompts  for  confirmation  on 
destructive  file  operations.  For  more  information  about  the  file  prompt  command,  see  the  Cisco  IOS 
Command  Reference  for  Release  12.2. 

A   

Caution      You  cannot  restore  a  file  after  it  has  been  deleted. 


Working  with  Software  Images 

This  section  describes  how  to  archive  (download  and  upload)  software  image  files,  which  contain  the 
system  software,  the  Cisco  IOS  code,  and  the  embedded  device  manager  software. 

^   

Note      Instead  of  using  the  copy  privileged  EXEC  command  or  the  archive  tar  privileged  EXEC  command,  we 

recommend  using  the  archive  download-sw  and  archive  upload-sw  privileged  EXEC  commands  to 

download  and  upload  software  image  files. 


You  can  download  a  switch  image  file  from  a  TFTP,  FTP,  or  RCP  server  to  upgrade  the  switch  software. 
If  you  do  not  have  access  to  a  TFTP  server,  you  can  download  a  software  image  file  directly  to  your  PC 
or  workstation  by  using  a  web  browser  (HTTP)  and  then  by  using  the  device  manager  to  upgrade  your 
switch.  For  information  about  upgrading  your  switch  by  using  a  TFTP  server  or  a  web  browser  (HTTP), 
see  the  release  notes. 

You  can  replace  the  current  image  with  the  new  one  or  keep  the  current  image  in  flash  memory  after  a 
download. 
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You  upload  a  switch  image  file  to  a  TFTP,  FTP,  or  RCP  server  for  backup  purposes.  You  can  use  this 
uploaded  image  for  future  downloads  to  the  same  switch  or  to  another  of  the  same  type. 

The  protocol  that  you  use  depends  on  which  type  of  server  you  are  using.  The  FTP  and  RCP  transport 
mechanisms  provide  faster  performance  and  more  reliable  delivery  of  data  than  TFTP.  These 
improvements  are  possible  because  FTP  and  RCP  are  built  on  and  use  the  TCP/IP  stack,  which  is 
connection-oriented. 

These  sections  contain  this  configuration  information: 

•  Image  Location  on  the  Switch,  page  B-21 

•  tar  File  Format  of  Images  on  a  Server  or  Cisco.com,  page  B-21 

•  Copying  Image  Files  By  Using  TFTP,  page  B-22 

•  Copying  Image  Files  By  Using  FTP,  page  B-25 

•  Copying  Image  Files  By  Using  RCP,  page  B-29 

X   

Note      For  a  list  of  software  images  and  the  supported  upgrade  paths,  see  the  release  notes. 


Image  Location  on  the  Switch 

The  Cisco  IOS  image  is  stored  as  a  .bin  file  in  a  directory  that  shows  the  version  number.  A  subdirectory 
contains  the  files  needed  for  web  management.  The  image  is  stored  on  the  system  board  flash  memory 
(flash:). 

You  can  use  the  show  version  privileged  EXEC  command  to  see  the  software  version  that  is  currently 
running  on  your  switch.  In  the  display,  check  the  line  that  begins  with  system  image  file  is . . .  .It 
shows  the  directory  name  in  flash  memory  where  the  image  is  stored. 

You  can  also  use  the  dir  file  system:  privileged  EXEC  command  to  see  the  directory  names  of  other 
software  images  that  you  might  have  stored  in  flash  memory. 

tar  File  Format  of  Images  on  a  Server  or  Cisco.com 

Software  images  located  on  a  server  or  downloaded  from  Cisco.com  are  provided  in  a  tar  file  format, 
which  contains  these  files: 

•  An  info  file,  which  serves  as  a  table  of  contents  for  the  tar  file 

•  One  or  more  subdirectories  containing  other  images  and  files,  such  as  Cisco  IOS  images  and  web 
management  files 

This  example  shows  some  of  the  information  contained  in  the  info  file.  Table  B-3  provides  additional 
details  about  this  information: 

system_type : 0x00000000 : cgesm-i612-mz . 122 . 2  5-SE 
image_f amily : cgesm 
stacking_number : 1 . 0 
inf o_end : 

version_suf f ix: i 6 12 -12 2 .2  5-SE 

version_directory : cgesm-i612-mz . 122 . 25-SE 
image_system_type_id: 0x00000000 
image_name : cgesm- i  6 1 2 -mz . 122. 25-SE. bin 
ios_image_f ile_size : 2939392 
total_image_f ile_size : 4884992 
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image_f eature : LAYER_2 | MIN_DRAM_MEG=32 
image_f amily : cgesm 
stacking_number : 1 . 0 
board_ids : 0x00000008 
inf o_end : 

X   

Note      Disregard  the  stacking_number  field.  It  does  not  apply  to  the  switch. 


Table  B-3  info  File  Description 


Field 

Description 

version_suffix 

Specifies  the  Cisco  IOS  image  version  string  suffix 

version_directory 

Specifies  the  directory  where  the  Cisco  IOS  image  and  the  HTML  subdirectory  are  installed 

image_name 

Specifies  the  name  of  the  Cisco  IOS  image  within  the  tar  file 

ios_image_file_size 

Specifies  the  Cisco  IOS  image  size  in  the  tar  file,  which  is  an  approximate  measure  of  how 
much  flash  memory  is  required  to  hold  just  the  Cisco  IOS  image 

total_image_file_size 

Specifies  the  size  of  all  the  images  (the  Cisco  IOS  image  and  the  web  management  files)  in  the 
tar  file,  which  is  an  approximate  measure  of  how  much  flash  memory  is  required  to  hold  them 

image_feature 

Describes  the  core  functionality  of  the  image 

image_min_dram 

Specifies  the  minimum  amount  of  DRAM  needed  to  run  this  image 

image_family 

Describes  the  family  of  products  on  which  the  software  can  be  installed 

Copying  Image  Files  By  Using  TFTP 

You  can  download  a  switch  image  from  a  TFTP  server  or  upload  the  image  from  the  switch  to  a  TFTP 
server. 

You  download  a  switch  image  file  from  a  server  to  upgrade  the  switch  software.  You  can  overwrite  the 
current  image  with  the  new  one  or  keep  the  current  image  after  a  download. 

You  upload  a  switch  image  file  to  a  server  for  backup  purposes;  this  uploaded  image  can  be  used  for 
future  downloads  to  the  same  or  another  switch  of  the  same  type. 


Instead  of  using  the  copy  privileged  EXEC  command  or  the  archive  tar  privileged  EXEC  command,  we 
recommend  using  the  archive  download-sw  and  archive  upload-sw  privileged  EXEC  commands  to 
download  and  upload  software  image  files. 

These  sections  contain  this  configuration  information: 

•  Preparing  to  Download  or  Upload  an  Image  File  By  Using  TFTP,  page  B-23 

•  Downloading  an  Image  File  By  Using  TFTP,  page  B-23 

•  Uploading  an  Image  File  By  Using  TFTP,  page  B-25 


X 

Note 
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Preparing  to  Download  or  Upload  an  Image  File  By  Using  TFTP 

Before  you  begin  downloading  or  uploading  an  image  file  by  using  TFTP,  do  these  tasks: 

•    Ensure  that  the  workstation  acting  as  the  TFTP  server  is  properly  configured.  On  a  Sun  workstation, 
make  sure  that  the  /etc/inetd.conf  file  contains  this  line: 

tftp  dgram  udp  wait  root  /usr/etc/in. tf tpd  in.tftpd  -p  -s  /tftpboot 

Make  sure  that  the  /etc/services  file  contains  this  line: 

tftp  69/udp 

^   

Note     You  must  restart  the  inetd  daemon  after  modifying  the  /etc/inetd.conf  and  /etc/services  files. 
To  restart  the  daemon,  either  stop  the  inetd  process  and  restart  it,  or  enter  a  fastboot 
command  (on  the  SunOS  4.x)  or  a  reboot  command  (on  Solaris  2.x  or  SunOS  5.x).  For  more 
information  on  the  TFTP  daemon,  see  the  documentation  for  your  workstation. 


•  Ensure  that  the  switch  has  a  route  to  the  TFTP  server.  The  switch  and  the  TFTP  server  must  be  in 
the  same  subnetwork  if  you  do  not  have  a  router  to  route  traffic  between  subnets.  Check  connectivity 
to  the  TFTP  server  by  using  the  ping  command. 

•  Ensure  that  the  image  to  be  downloaded  is  in  the  correct  directory  on  the  TFTP  server  (usually 
/tftpboot  on  a  UNIX  workstation). 

•  For  download  operations,  ensure  that  the  permissions  on  the  file  are  set  correctly.  The  permission 
on  the  file  should  be  world-read. 

•  Before  uploading  the  image  file,  you  might  need  to  create  an  empty  file  on  the  TFTP  server.  To 
create  an  empty  file,  enter  the  touch  filename  command,  where  filename  is  the  name  of  the  file  you 
will  use  when  uploading  the  image  to  the  server. 

•  During  upload  operations,  if  you  are  overwriting  an  existing  file  (including  an  empty  file,  if  you  had 
to  create  one)  on  the  server,  ensure  that  the  permissions  on  the  file  are  set  correctly.  Permissions  on 
the  file  should  be  world-write. 


Downloading  an  Image  File  By  Using  TFTP 

You  can  download  a  new  image  file  and  replace  the  current  image  or  keep  the  current  image. 

Beginning  in  privileged  EXEC  mode,  follow  Steps  1  through  3  to  download  a  new  image  from  a  TFTP 
server  and  overwrite  the  existing  image.  To  keep  the  current  image,  go  to  Step  3. 


Command 

Purpose 

Copy  the  image  to  the  appropriate  TFTP  directory  on  the 
workstation.  Make  sure  the  TFTP  server  is  properly  configured; 
see  the  "Preparing  to  Download  or  Upload  an  Image  File  By  Using 
TFTP"  section  on  page  B-23. 

Log  into  the  switch  through  the  console  port  or  a  Telnet  session. 
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Command 

Purpose 

archive  download-sw  /overwrite  /reload 
tftp:[[y '/location]/ 'directory]! 'image -name. tar 

Download  the  image  file  from  the  TFTP  server  to  the  switch,  and 
overwrite  the  current  image. 

•  The  /overwrite  option  overwrites  the  software  image  in  flash 
memory  with  the  downloaded  image. 

•  The  /reload  option  reloads  the  system  after  downloading  the 
image  unless  the  configuration  has  been  changed  and  not  been 
saved. 

•  For  //location,  specify  the  IP  address  of  the  TFTP  server. 

•  For  / 'directory >l  image -name. tar: ;  specify  the  directory 
(optional)  and  the  image  to  download.  Directory  and  image 
names  are  case  sensitive. 

archive  download-sw  /leave-old-sw  /reload 
tftp:[[y '/location]! 'directory]/ 'image -name. tar 

Download  the  image  file  from  the  TFTP  server  to  the  switch,  and 
keep  the  current  image. 

•  The  /leave-old-sw  option  keeps  the  old  software  version  after 
a  download. 

•  The  /reload  option  reloads  the  system  after  downloading  the 
image  unless  the  configuration  has  been  changed  and  not  been 
saved. 

•  For  //location,  specify  the  IP  address  of  the  TFTP  server. 

•  For  Idirectorylimage-nameXav,  specify  the  directory 
(optional)  and  the  image  to  download.  Directory  and  image 
names  are  case  sensitive. 

The  download  algorithm  verifies  that  the  image  is  appropriate  for  the  switch  model  and  that  enough 
DRAM  is  present,  or  it  aborts  the  process  and  reports  an  error.  If  you  specify  the  /overwrite  option,  the 
download  algorithm  removes  the  existing  image  on  the  flash  device  whether  or  not  it  is  the  same  as  the 
new  one,  downloads  the  new  image,  and  then  reloads  the  software. 

N   

Note      If  the  flash  device  has  sufficient  space  to  hold  two  images  and  you  want  to  overwrite  one  of  these  images 
with  the  same  version,  you  must  specify  the  /overwrite  option. 


If  you  specify  the  /leave-old-sw,  the  existing  files  are  not  removed.  If  there  is  not  enough  space  to  install 
the  new  image  and  keep  the  current  running  image,  the  download  process  stops,  and  an  error  message  is 
displayed. 

The  algorithm  installs  the  downloaded  image  on  the  system  board  flash  device  (flash:).  The  image  is 
placed  into  a  new  directory  named  with  the  software  version  string,  and  the  BOOT  environment  variable 
is  updated  to  point  to  the  newly  installed  image. 

If  you  kept  the  old  image  during  the  download  process  (you  specified  the  /leave-old-sw  keyword),  you 
can  remove  it  by  entering  the  delete  /force  /recursi\efilesystem:/file-url  privileged  EXEC  command. 
For  filesystem,  use  flash:  for  the  system  board  flash  device.  For  file-url,  enter  the  directory  name  of  the 
old  image.  All  the  files  in  the  directory  and  the  directory  are  removed. 

A   

Caution      For  the  download  and  upload  algorithms  to  operate  properly,  do  not  rename  image  names. 
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Uploading  an  Image  File  By  Using  TFTP 

You  can  upload  an  image  from  the  switch  to  a  TFTP  server.  You  can  later  download  this  image  to  the 
switch  or  to  another  switch  of  the  same  type. 

Use  the  upload  feature  only  if  the  web  management  pages  associated  with  the  embedded  device  manager 
have  been  installed  with  the  existing  image. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  upload  an  image  to  a  TFTP  server: 


Step  1 

Step  2 
Step  3 


Command 

Purpose 

Make  sure  the  TFTP  server  is  properly  configured;  see  the 
"Preparing  to  Download  or  Upload  an  Image  File  By  Using  TFTP" 
section  on  page  B-23. 

Log  into  the  switch  through  the  console  port  or  a  Telnet  session. 

archive  upload-sw 

tft\>:[[// location]! 'directory]! 'image -name  Xsx 

Upload  the  currently  running  switch  image  to  the  TFTP  server. 

•  For  //location,  specify  the  IP  address  of  the  TFTP  server. 

•  For  /directory 1 '  image-name  Xax ;  specify  the  directory 
(optional)  and  the  name  of  the  software  image  to  be  uploaded. 
Directory  and  image  names  are  case  sensitive.  The 
image-name.tar  is  the  name  of  the  software  image  to  be  stored 
on  the  server. 

The  archive  upload-sw  privileged  EXEC  command  builds  an  image  file  on  the  server  by  uploading 
these  files  in  order:  info,  the  Cisco  IOS  image,  and  the  web  management  files.  After  these  files  are 
uploaded,  the  upload  algorithm  creates  the  tar  file  format. 

A   

Caution      For  the  download  and  upload  algorithms  to  operate  properly,  do  not  rename  image  names. 


Copying  Image  Files  By  Using  FTP 

You  can  download  a  switch  image  from  an  FTP  server  or  upload  the  image  from  the  switch  to  an  FTP 
server. 

You  download  a  switch  image  file  from  a  server  to  upgrade  the  switch  software.  You  can  overwrite  the 
current  image  with  the  new  one  or  keep  the  current  image  after  a  download. 

You  upload  a  switch  image  file  to  a  server  for  backup  purposes.  You  can  use  this  uploaded  image  for 
future  downloads  to  the  switch  or  another  switch  of  the  same  type. 

X   

Note      Instead  of  using  the  copy  privileged  EXEC  command  or  the  archive  tar  privileged  EXEC  command,  we 
recommend  using  the  archive  download-sw  and  archive  upload-sw  privileged  EXEC  commands  to 
download  and  upload  software  image  files. 
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These  sections  contain  this  configuration  information: 

•  Preparing  to  Download  or  Upload  an  Image  File  By  Using  FTP,  page  B-26 

•  Downloading  an  Image  File  By  Using  FTP,  page  B-27 

•  Uploading  an  Image  File  By  Using  FTP,  page  B-28 

Preparing  to  Download  or  Upload  an  Image  File  By  Using  FTP 

You  can  copy  images  files  to  or  from  an  FTP  server. 

The  FTP  protocol  requires  a  client  to  send  a  remote  username  and  password  on  each  FTP  request  to  a 
server.  When  you  copy  an  image  file  from  the  switch  to  a  server  by  using  FTP,  the  Cisco  IOS  software 
sends  the  first  valid  username  in  this  list: 

•  The  username  specified  in  the  archive  download-sw  or  archive  upload-sw  privileged  EXEC 
command  if  a  username  is  specified. 

•  The  username  set  by  the  ip  ftp  username  username  global  configuration  command  if  the  command 
is  configured. 

•  Anonymous. 

The  switch  sends  the  first  valid  password  in  this  list: 

•  The  password  specified  in  the  archive  download-sw  or  archive  upload-sw  privileged  EXEC 
command  if  a  password  is  specified. 

•  The  password  set  by  the  ip  ftp  password  password  global  configuration  command  if  the  command 
is  configured. 

•  The  switch  forms  a  password  named  username© switchname. domain.  The  variable  username  is  the 
username  associated  with  the  current  session,  switchname  is  the  configured  hostname,  and  domain 
is  the  domain  of  the  switch. 

The  username  and  password  must  be  associated  with  an  account  on  the  FTP  server.  If  you  are  writing  to 
the  server,  the  FTP  server  must  be  properly  configured  to  accept  the  FTP  write  request  from  you. 

Use  the  ip  ftp  username  and  ip  ftp  password  commands  to  specify  a  username  and  password  for  all 
copies.  Include  the  username  in  the  archive  download-sw  or  archive  upload-sw  privileged  EXEC 
command  if  you  want  to  specify  a  username  only  for  that  operation. 

If  the  server  has  a  directory  structure,  the  image  file  is  written  to  or  copied  from  the  directory  associated 
with  the  username  on  the  server.  For  example,  if  the  image  file  resides  in  the  home  directory  of  a  user 
on  the  server,  specify  that  user's  name  as  the  remote  username. 

Before  you  begin  downloading  or  uploading  an  image  file  by  using  FTP,  do  these  tasks: 

•  Ensure  that  the  switch  has  a  route  to  the  FTP  server.  The  switch  and  the  FTP  server  must  be  in  the 
same  subnetwork  if  you  do  not  have  a  router  to  route  traffic  between  subnets.  Check  connectivity  to 
the  FTP  server  by  using  the  ping  command. 

•  If  you  are  accessing  the  switch  through  the  console  or  a  Telnet  session  and  you  do  not  have  a  valid 
username,  make  sure  that  the  current  FTP  username  is  the  one  that  you  want  to  use  for  the  FTP 
download.  You  can  enter  the  show  users  privileged  EXEC  command  to  view  the  valid  username.  If 
you  do  not  want  to  use  this  username,  create  a  new  FTP  username  by  using  the  ip  ftp  username 
username  global  configuration  command.  This  new  name  will  be  used  during  all  archive  operations. 
The  new  username  is  stored  in  NVRAM.  If  you  are  accessing  the  switch  through  a  Telnet  session 
and  you  have  a  valid  username,  this  username  is  used,  and  you  do  not  need  to  set  the  FTP  username. 
Include  the  username  in  the  archive  download-sw  or  archive  upload-sw  privileged  EXEC 
command  if  you  want  to  specify  a  username  for  that  operation  only. 
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•    When  you  upload  an  image  file  to  the  FTP  server,  it  must  be  properly  configured  to  accept  the  write 
request  from  the  user  on  the  switch. 

For  more  information,  see  the  documentation  for  your  FTP  server. 

Downloading  an  Image  File  By  Using  FTP 

You  can  download  a  new  image  file  and  overwrite  the  current  image  or  keep  the  current  image. 

Beginning  in  privileged  EXEC  mode,  follow  Steps  1  through  7  to  download  a  new  image  from  an  FTP 
server  and  overwrite  the  existing  image.  To  keep  the  current  image,  go  to  Step  7. 


Command 

Purpose 

Stepl 

Verify  that  the  FTP  server  is  properly  configured  by  referring 
to  the  "Preparing  to  Download  or  Upload  an  Image  File  By 
Using  FTP"  section  on  page  B-26. 

Step  2 

Log  into  the  switch  through  the  console  port  or  a  Telnet 
session. 

Step  3     configure  terminal 

Enter  global  configuration  mode. 

This  step  is  required  only  if  you  override  the  default  remote 
username  or  password  (see  Steps  4,  5,  and  6). 

Step  4     ip  ftp  username  username 

(Optional)  Change  the  default  remote  username. 

Step  5     ip  ftp  password  password 

(Optional)  Change  the  default  password. 

Step  6  end 

Return  to  privileged  EXEC  mode. 

Step  7     archive  download-sw  /overwrite  /reload 

ftp:[[//username[:password]@ location]! 'directory] 
1  image -name. tar 

Download  the  image  file  from  the  FTP  server  to  the  switch, 
and  overwrite  the  current  image. 

•  The  /overwrite  option  overwrites  the  software  image  in 
flash  memory  with  the  downloaded  image. 

•  The  /reload  option  reloads  the  system  after  downloading 
the  image  unless  the  configuration  has  been  changed  and 
not  been  saved. 

•  For  llusername[:password],  specify  the  username  and 
password;  these  must  be  associated  with  an  account  on  the 
FTP  server.  For  more  information,  see  the  "Preparing  to 
Download  or  Upload  an  Image  File  By  Using  FTP" 
section  on  page  B-26. 

•  For  @  location,  specify  the  IP  address  of  the  FTP  server. 

•  For  directory/image-name.tar,  specify  the  directory 
(optional)  and  the  image  to  download.  Directory  and 
image  names  are  case  sensitive. 
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Command 

Purpose 

archive  download-sw  /leave-old-sw  /reload 

ftp:[[//usemame[:password]@location]/directory] 
1  image-name. tar 

Download  the  image  file  from  the  FTP  server  to  the  switch, 
and  keep  the  current  image. 

•  The  /leave-old-sw  option  keeps  the  old  software  version 
after  a  download. 

•  The  /reload  option  reloads  the  system  after  downloading 
the  image  unless  the  configuration  has  been  changed  and 
not  been  saved. 

•  For  //username[:password],  specify  the  username  and 
password.  These  must  be  associated  with  an  account  on 
the  FTP  server.  For  more  information,  see  the  "Preparing 
to  Download  or  Upload  an  Image  File  By  Using  FTP" 
section  on  page  B-26. 

•  For  ©location,  specify  the  IP  address  of  the  FTP  server. 

•  For  directory/image-name.tar,  specify  the  directory 
(optional)  and  the  image  to  download.  Directory  and 
image  names  are  case  sensitive. 

The  download  algorithm  verifies  that  the  image  is  appropriate  for  the  switch  model  and  that  enough 
DRAM  is  present,  or  it  aborts  the  process  and  reports  an  error.  If  you  specify  the  /overwrite  option,  the 
download  algorithm  removes  the  existing  image  on  the  flash  device,  whether  or  not  it  is  the  same  as  the 
new  one,  downloads  the  new  image,  and  then  reloads  the  software. 


Note      If  the  flash  device  has  sufficient  space  to  hold  two  images  and  you  want  to  overwrite  one  of  these  images 
with  the  same  version,  you  must  specify  the  /overwrite  option. 


If  you  specify  the  /leave-old-sw,  the  existing  files  are  not  removed.  If  there  is  not  enough  space  to  install 
the  new  image  and  keep  the  running  image,  the  download  process  stops,  and  an  error  message  is 
displayed. 

The  algorithm  installs  the  downloaded  image  onto  the  system  board  flash  device  (flash:).  The  image  is 
placed  into  a  new  directory  named  with  the  software  version  string,  and  the  BOOT  environment  variable 
is  updated  to  point  to  the  newly  installed  image. 

If  you  kept  the  old  image  during  the  download  process  (you  specified  the  /leave-old-sw  keyword),  you 
can  remove  it  by  entering  the  delete  /force  /recursive  filesystem:lfile-url  privileged  EXEC  command. 
For  filesystem,  use  flash:  for  the  system  board  flash  device.  For  file-url,  enter  the  directory  name  of  the 
old  software  image.  All  the  files  in  the  directory  and  the  directory  are  removed. 

A   

Caution      For  the  download  and  upload  algorithms  to  operate  properly,  do  not  rename  image  names. 


Uploading  an  Image  File  By  Using  FTP 

You  can  upload  an  image  from  the  switch  to  an  FTP  server.  You  can  later  download  this  image  to  the 
same  switch  or  to  another  switch  of  the  same  type. 

Use  the  upload  feature  only  if  the  web  management  pages  associated  with  the  embedded  device  manager 
have  been  installed  with  the  existing  image. 
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Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  upload  an  image  to  an  FTP  server: 


Command 

Stepl 


Step  2 


Step  3     configure  terminal 


Step  4  ip  ftp  username  username 
Step  5  ip  ftp  password  password 
Step  6  end 

Step  7     archive  upload-sw 

ftp:[[//[username[:password]@]location]/directory]/ 
image-name. tar 


Purpose 

Verify  that  the  FTP  server  is  properly  configured  by 
referring  to  the  "Preparing  to  Download  or  Upload  a 
Configuration  File  By  Using  FTP"  section  on  page  B-14. 

Log  into  the  switch  through  the  console  port  or  a  Telnet 
session. 

Enter  global  configuration  mode. 

This  step  is  required  only  if  you  override  the  default  remote 
username  or  password  (see  Steps  4,  5,  and  6). 

(Optional)  Change  the  default  remote  username. 

(Optional)  Change  the  default  password. 

Return  to  privileged  EXEC  mode. 

Upload  the  currently  running  switch  image  to  the  FTP 
server. 

•  For  llusername:password,  specify  the  username  and 
password.  These  must  be  associated  with  an  account  on 
the  FTP  server.  For  more  information,  see  the 
"Preparing  to  Download  or  Upload  an  Image  File  By 
Using  FTP"  section  on  page  B-26. 

•  For  @  location,  specify  the  IP  address  of  the  FTP  server. 

•  For  /directory/image-name.tar,  specify  the  directory 
(optional)  and  the  name  of  the  software  image  to  be 
uploaded.  Directory  and  image  names  are  case  sensitive. 
The  image-name.tar  is  the  name  of  the  software  image 
to  be  stored  on  the  server. 


The  archive  upload-sw  command  builds  an  image  file  on  the  server  by  uploading  these  files  in  order: 
info,  the  Cisco  IOS  image,  and  the  web  management  files.  After  these  files  are  uploaded,  the  upload 
algorithm  creates  the  tar  file  format. 

A   

Caution      For  the  download  and  upload  algorithms  to  operate  properly,  do  not  rename  image  names. 


Copying  Image  Files  By  Using  RCP 

You  can  download  a  switch  image  from  an  RCP  server  or  upload  the  image  from  the  switch  to  an  RCP 
server. 

You  download  a  switch  image  file  from  a  server  to  upgrade  the  switch  software.  You  can  overwrite  the 
current  image  with  the  new  one  or  keep  the  current  image  after  a  download. 

You  upload  a  switch  image  file  to  a  server  for  backup  purposes.  You  can  use  this  uploaded  image  for 
future  downloads  to  the  same  switch  or  another  of  the  same  type. 
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Note      Instead  of  using  the  copy  privileged  EXEC  command  or  the  archive  tar  privileged  EXEC  command,  we 
recommend  using  the  archive  download-sw  and  archive  upload-sw  privileged  EXEC  commands  to 
download  and  upload  software  image  files. 

These  sections  contain  this  configuration  information: 

•  Preparing  to  Download  or  Upload  an  Image  File  By  Using  RCP,  page  B-30 

•  Downloading  an  Image  File  By  Using  RCP,  page  B-31 

•  Uploading  an  Image  File  By  Using  RCP,  page  B-33 

Preparing  to  Download  or  Upload  an  Image  File  By  Using  RCP 

RCP  provides  another  method  of  downloading  and  uploading  image  files  between  remote  hosts  and  the 
switch.  Unlike  TFTP,  which  uses  User  Datagram  Protocol  (UDP),  a  connectionless  protocol,  RCP  uses 
TCP,  which  is  connection-oriented. 

To  use  RCP  to  copy  files,  the  server  from  or  to  which  you  will  be  copying  files  must  support  RCP.  The 
RCP  copy  commands  rely  on  the  rsh  server  (or  daemon)  on  the  remote  system.  To  copy  files  by  using 
RCP,  you  do  not  need  to  create  a  server  for  file  distribution  as  you  do  with  TFTP.  You  only  need  to  have 
access  to  a  server  that  supports  the  remote  shell  (rsh).  (Most  UNIX  systems  support  rsh.)  Because  you 
are  copying  a  file  from  one  place  to  another,  you  must  have  read  permission  on  the  source  file  and  write 
permission  on  the  destination  file.  If  the  destination  file  does  not  exist,  RCP  creates  it  for  you. 

RCP  requires  a  client  to  send  a  remote  username  on  each  RCP  request  to  a  server.  When  you  copy  an 
image  from  the  switch  to  a  server  by  using  RCP,  the  Cisco  IOS  software  sends  the  first  valid  username 
in  this  list: 

•  The  username  specified  in  the  archive  download-sw  or  archive  upload-sw  privileged  EXEC 
command  if  a  username  is  specified. 

•  The  username  set  by  the  ip  rcmd  remote-username  username  global  configuration  command  if  the 
command  is  entered. 

•  The  remote  username  associated  with  the  current  TTY  (terminal)  process.  For  example,  if  the  user 
is  connected  to  the  router  through  Telnet  and  was  authenticated  through  the  username  command, 
the  switch  software  sends  the  Telnet  username  as  the  remote  username. 

•  The  switch  hostname. 

For  the  RCP  copy  request  to  execute  successfully,  an  account  must  be  defined  on  the  network  server  for 
the  remote  username.  If  the  server  has  a  directory  structure,  the  image  file  is  written  to  or  copied  from 
the  directory  associated  with  the  remote  username  on  the  server.  For  example,  if  the  image  file  resides 
in  the  home  directory  of  a  user  on  the  server,  specify  that  user's  name  as  the  remote  username. 

Before  you  begin  downloading  or  uploading  an  image  file  by  using  RCP,  do  these  tasks: 

•  Ensure  that  the  workstation  acting  as  the  RCP  server  supports  the  remote  shell  (rsh). 

•  Ensure  that  the  switch  has  a  route  to  the  RCP  server.  The  switch  and  the  server  must  be  in  the  same 
subnetwork  if  you  do  not  have  a  router  to  route  traffic  between  subnets.  Check  connectivity  to  the 
RCP  server  by  using  the  ping  command. 

•  If  you  are  accessing  the  switch  through  the  console  or  a  Telnet  session  and  you  do  not  have  a  valid 
username,  make  sure  that  the  current  RCP  username  is  the  one  that  you  want  to  use  for  the  RCP 
download.  You  can  enter  the  show  users  privileged  EXEC  command  to  view  the  valid  username.  If 
you  do  not  want  to  use  this  username,  create  a  new  RCP  username  by  using  the  ip  rcmd 
remote-username  username  global  configuration  command  to  be  used  during  all  archive 
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operations.  The  new  username  is  stored  in  NVRAM.  If  you  are  accessing  the  switch  through  a  Telnet 
session  and  you  have  a  valid  username,  this  username  is  used,  and  there  is  no  need  to  set  the  RCP 
username.  Include  the  username  in  the  archive  download-sw  or  archive  upload-sw  privileged 
EXEC  command  if  you  want  to  specify  a  username  only  for  that  operation. 

•    When  you  upload  an  image  to  the  RCP  to  the  server,  it  must  be  properly  configured  to  accept  the 
RCP  write  request  from  the  user  on  the  switch.  For  UNIX  systems,  you  must  add  an  entry  to  the 
.rhosts  file  for  the  remote  user  on  the  RCP  server.  For  example,  suppose  the  switch  contains  these 
configuration  lines: 

hostname  Switchl 

ip  rcmd  remote-username  UserO 

If  the  switch  IP  address  translates  to  Switchl .company.com,  the  .rhosts  file  for  UserO  on  the  RCP 
server  should  contain  this  line: 

Switchl.company.com  Switchl 

For  more  information,  see  the  documentation  for  your  RCP  server. 

Downloading  an  Image  File  By  Using  RCP 

You  can  download  a  new  image  file  and  replace  or  keep  the  current  image. 

Beginning  in  privileged  EXEC  mode,  follow  Steps  1  through  6  to  download  a  new  image  from  an  RCP 
server  and  overwrite  the  existing  image.  To  keep  the  current  image,  go  to  Step  6. 


Command 

Stepl 


Step  2 


Step  3     configure  terminal 


Step  4  ip  rcmd  remote-username  username 
Step  5  end 


Purpose 

Verify  that  the  RCP  server  is  properly  configured  by 
referring  to  the  "Preparing  to  Download  or  Upload  an  Image 
File  By  Using  RCP"  section  on  page  B-30. 

Log  into  the  switch  through  the  console  port  or  a  Telnet 
session. 

Enter  global  configuration  mode. 

This  step  is  required  only  if  you  override  the  default  remote 
username  (see  Steps  4  and  5). 

(Optional)  Specify  the  remote  username. 

Return  to  privileged  EXEC  mode. 
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Command 

Purpose 

archive  download-sw  /overwrite  /reload 

rcp:[[[//[usemame@]location]/directory]/image-na 
me. tar] 

Download  the  image  file  from  the  RCP  server  to  the  switch, 
and  overwrite  the  current  image. 

•  The  /overwrite  option  overwrites  the  software  image  in 
flash  memory  with  the  downloaded  image. 

•  The  /reload  option  reloads  the  system  after 
downloading  the  image  unless  the  configuration  has 
been  changed  and  not  been  saved. 

•  For  llusername,  specify  the  username.  For  the  RCP  copy 
request  to  execute  successfully,  an  account  must  be 
defined  on  the  network  server  for  the  remote  username. 
For  more  information,  see  the  "Preparing  to  Download 
or  Upload  an  Image  File  By  Using  RCP"  section  on 
page  B-30. 

•  For  ©location,  specify  the  IP  address  of  the  RCP  server. 

•  For  /directory/image-name.tar,  specify  the  directory 
(optional)  and  the  image  to  download.  Directory  and 
image  names  are  case  sensitive. 

archive  download-sw  /leave-old-sw  /reload 

rcp:[[[//[usemame@]location]/directory]/image-na 
me. tar] 

Download  the  image  file  from  the  RCP  server  to  the  switch, 
and  keep  the  current  image. 

•  The  /leave-old-sw  option  keeps  the  old  software  version 
after  a  download. 

•  The  /reload  option  reloads  the  system  after 
downloading  the  image  unless  the  configuration  has 
been  changed  and  not  been  saved. 

•  For  llusername,  specify  the  username.  For  the  RCP  copy 
request  to  execute,  an  account  must  be  defined  on  the 
network  server  for  the  remote  username.  For  more 
information,  see  the  "Preparing  to  Download  or  Upload 
an  Image  File  By  Using  RCP"  section  on  page  B-30. 

•  For  ©location,  specify  the  IP  address  of  the  RCP  server. 

•  For  ldirectory]limage-name.tar,  specify  the  directory 
(optional)  and  the  image  to  download.  Directory  and 
image  names  are  case  sensitive. 

The  download  algorithm  verifies  that  the  image  is  appropriate  for  the  switch  model  and  that  enough 
DRAM  is  present,  or  it  aborts  the  process  and  reports  an  error.  If  you  specify  the  /overwrite  option,  the 
download  algorithm  removes  the  existing  image  on  the  flash  device  whether  or  not  it  is  the  same  as  the 
new  one,  downloads  the  new  image,  and  then  reloads  the  software. 

^   

Note      If  the  flash  device  has  sufficient  space  to  hold  two  images  and  you  want  to  overwrite  one  of  these  images 
with  the  same  version,  you  must  specify  the  /overwrite  option. 


If  you  specify  the  /leave-old-sw,  the  existing  files  are  not  removed.  If  there  is  not  enough  room  to  install 
the  new  image  an  keep  the  running  image,  the  download  process  stops,  and  an  error  message  is 
displayed. 
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The  algorithm  installs  the  downloaded  image  onto  the  system  board  flash  device  (flash:).  The  image  is 
placed  into  a  new  directory  named  with  the  software  version  string,  and  the  BOOT  environment  variable 
is  updated  to  point  to  the  newly  installed  image. 

If  you  kept  the  old  software  during  the  download  process  (you  specified  the  /leave-old-sw  keyword), 
you  can  remove  it  by  entering  the  delete  /force  /recursive  filesystem:lfile-url  privileged  EXEC 
command.  For  filesystem,  use  flash:  for  the  system  board  flash  device.  For  file-url,  enter  the  directory 
name  of  the  old  software  image.  All  the  files  in  the  directory  and  the  directory  are  removed. 

A   

Caution      For  the  download  and  upload  algorithms  to  operate  properly,  do  not  rename  image  names. 


Uploading  an  Image  File  By  Using  RCP 

You  can  upload  an  image  from  the  switch  to  an  RCP  server.  You  can  later  download  this  image  to  the 
same  switch  or  to  another  switch  of  the  same  type. 

The  upload  feature  should  be  used  only  if  the  web  management  pages  associated  with  the  embedded 
device  manager  have  been  installed  with  the  existing  image. 

Beginning  in  privileged  EXEC  mode,  follow  these  steps  to  upload  an  image  to  an  RCP  server: 


Command 

Purpose 

Step  1 

Verify  that  the  RCP  server  is  properly  configured  by 
referring  to  the  "Preparing  to  Download  or  Upload  an  Image 
File  By  Using  RCP"  section  on  page  B-30. 

Step  2 

Log  into  the  switch  through  the  console  port  or  a  Telnet 
session. 

Step  3 

configure  terminal 

Enter  global  configuration  mode. 

This  step  is  required  only  if  you  override  the  default  remote 
username  (see  Steps  4  and  5). 

Step  4 

ip  rcmd  remote-username  username 

(Optional)  Specify  the  remote  username. 

Step  5 

end 

Return  to  privileged  EXEC  mode. 

Step  6 

archive  upload-sw 

rcp:[[[//[usemame@]location]/directory]/image-na 

Upload  the  currently  running  switch  image  to  the  RCP 
server. 

me. tar] 

•  For  //username,  specify  the  username;  for  the  RCP  copy 
request  to  execute,  an  account  must  be  defined  on  the 
network  server  for  the  remote  username.  For  more 
information,  see  the  "Preparing  to  Download  or  Upload 
an  Image  File  By  Using  RCP"  section  on  page  B-30. 

•  For  ©location,  specify  the  IP  address  of  the  RCP 
server. 

•  For  /directory]/image-name.tar,  specify  the  directory 
(optional)  and  the  name  of  the  software  image  to  be 
uploaded.  Directory  and  image  names  are  case 
sensitive. 

•  The  image-name.tar  is  the  name  of  software  image  to 
be  stored  on  the  server. 
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The  archive  upload-sw  privileged  EXEC  command  builds  an  image  file  on  the  server  by  uploading 
these  files  in  order:  info,  the  Cisco  IOS  image,  and  the  web  management  files.  After  these  files  are 
uploaded,  the  upload  algorithm  creates  the  tar  file  format. 

A   

Caution      For  the  download  and  upload  algorithms  to  operate  properly,  do  not  rename  image  names. 
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Unsupported  Commands  in 
Cisco  I0S  Release  12.2(37)SE 


This  appendix  lists  some  of  the  command-line  interface  (CLI)  commands  that  appear  when  you  enter  the 
question  mark  (?)  at  the  switch  prompt  but  are  not  supported  in  this  release,  either  because  they  are  not 
tested  or  because  of  switch  hardware  limitations.  This  is  not  a  complete  list.  The  unsupported  commands 
are  listed  by  software  feature  and  command  mode. 


access-enable  [host]  [timeout  minutes] 

access-template  [access-list-number  I  name]  [dynamic-name]  [source]  [destination]  [timeout  minutes] 
clear  access-template  [access-list-number  I  name]  [dynamic-name]  [source]  [destination]. 
show  access-lists  rate-limit  [destination] 
show  accounting 

show  ip  accounting  [checkpoint]  [output-packets  I  access  violations] 
show  ip  cache  [prefix-mask]  [type  number] 


Access  Control  Lists 


Unsupported 


Privileged  EXEC  Commands 


Unsupported 


Global  Configuration  Commands 


access-list  rate-limit  acl-index  {precedence  I  mask  prec-mask} 
access-list  dynamic  extended 


Unsupported 


Route-Map  Configuration  Command 


match  ip  address  prefix-list  prefix-list-name  [prefix-list-name...] 
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Bootloader  Commands 

Unsupported  Global  Configuration  Command 

boot  buffersize 

Debug  Commands 

Unsupported  Privileged  EXEC  Commands 

debug  platform  cli-redirection  main 
debug  platform  configuration 

IGMP  Snooping  Commands 

Unsupported  Global  Configuration  Command 

ip  igmp  snooping  ten 

Interface  Commands 

Unsupported  Privileged  EXEC  Command 

show  interfaces  [interface-id  I  vlan  vlan-id]  [crb  I  fair-queue  I  irb  I  mac-accounting  I  precedence  I  irb 
I  random-detect  I  rate-limit  I  shape] 

Unsupported  Global  Configuration  Command 

interface  tunnel 

Unsupported  Interface  Configuration  Command 

transmit-interface  type  number 
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MAC  Address  Commands 

Unsupported  Privileged  EXEC  Commands 


show 

mac- 

■address- 

■table 

show 

mac- 

address- 

■table 

address 

show 

mac 

■address- 

■table 

aging-time 

show 

mac- 

address- 

■table 

count 

show 

mac- 

■address- 

■table 

dynamic 

show 

mac- 

address- 

■table 

interface 

show 

mac 

■address- 

■table 

multicast 

show 

mac- 

address- 

■table 

notification 

show 

mac- 

■address- 

■table 

static 

show 

mac 

address- 

■table 

vlan 

show  mac  address-table  multicast 

%,   

Note      Use  the  show  ip  igmp  snooping  groups  privileged  EXEC  command  to  display  Layer  2  multicast 
address-table  entries  for  a  VLAN. 


Unsupported  Global  Configuration  Commands 

mac-address-table  aging-time 
mac-address-table  notification 
mac-address-table  static 

Miscellaneous 

Unsupported  Privileged  EXEC  Commands 

file  verify  auto 

remote  command 

show  cable-diagnostics  prbs 

test  cable-diagnostics  prbs 

Unsupported  Global  Configuration  Commands 

errdisable  recovery  cause  unicast  flood 
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12protocol-tunnel  global  drop -threshold 
service  compress-config 
stack-mac  persistent  timer 

Network  Address  Translation  (NAT)  Commands 

Unsupported  Privileged  EXEC  Commands 

show  ip  nat  statistics 
show  ip  nat  translations 

QoS 

Unsupported  Global  Configuration  Command 

priority-list 

Unsupported  Interface  Configuration  Commands 

priority-group 
rate-limit 

Unsupported  Policy-Map  Configuration  Command 

class  class-default  where  class-default  is  the  class-map-name. 

RADIUS 

Unsupported  Global  Configuration  Commands 

aaa  nas  port  extended 
aaa  authentication  feature  default  enable 
aaa  authentication  feature  default  line 
radius-server  attribute  nas-port 
radius-server  configure 
radius-server  extended-portnames 
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SNMP 

Unsupported  Global  Configuration  Commands 

snmp-server  enable  informs 
snmp-server  ifindex  persist 

Spanning  Tree 

Unsupported  Global  Configuration  Command 

spanning-tree  pathcost  method  {long  I  short} 

Unsupported  Interface  Configuration  Command 

spanning-tree  stack-port 

VLAN 

Unsupported  Global  Configuration  Command 

vlan  internal  allocation  policy  {ascending  I  descending} 

Unsupported  vlan-config  Command 

private-vlan 

Unsupported  User  EXEC  Commands 

show  running-config  vlan 
show  vlan  ifindex 
show  vlan  private-vlan 
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VTP 

Unsupported  Privileged  EXEC  Command 

vtp  {password  password  I  pruning  I  version  number] 


Note      This  command  has  been  replaced  by  the  vtp  global  configuration  command. 


C-6 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


A 

abbreviating  commands  2-4 
access-class  command  26-16 
access  control  entries 

See  ACEs 
access-denied  response,  VMPS  9-25 
access  groups,  applying  IPv4  ACLs  to  interfaces  26-17 
access  lists 

See  ACLs 
access  ports,  defined  7-2 
accounting 

with  802.  lx  6-30 

with  IEEE  802.1  x  6-9 

with  RADIUS  5-28 

with  TACACS+    5-11,  5-17 
ACEs 

and  QoS  27-7 

defined  26-2 

Ethernet  26-2 

IP  26-2 
ACLs 

ACEs  26-2 

any  keyword  26-10 

applying 
time  ranges  to  26-14 
to  an  interface  26-17 
to  QoS  27-7 

classifying  traffic  for  QoS  27-42 

comments  in  26-16 

compiling  26-18 

defined  26-1,26-6 

examples  of  26-18,27-42 
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ACLs  (continued) 
extended  IP,  configuring  for  QoS  classification  27-43 
extended  IPv4 

creating  26-8 

matching  criteria  26-6 
hardware  and  software  handling  26-18 
host  keyword  26-10 
IP 

creating  26-6 

fragments  and  QoS  guidelines  27-32 
implicit  deny    26-8, 26-1 1 , 26-1 3 
implicit  masks  26-8 
matching  criteria  26-6 
undefined  26-17 
IPv4 

applying  to  interfaces  26-17 
creating  26-6 
matching  criteria  26-6 
named  26-12 
numbers  26-6 

terminal  lines,  setting  on  26-16 

unsupported  features  26-5 
MAC  extended    26-20, 27-44 
matching  26-6,26-17 
monitoring  26-29 
named,  IPv4  26-12 
number  per  QoS  class  map  27-32 
port  26-2 
precedence  of  26-2 
QoS    27-7, 27-42 
resequencing  entries  26-12 

standard  IP,  configuring  for  QoS  classification  27-42 
ACLs  (continued) 
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standard  IPv4 
creating  26-7 
matching  criteria  26-6 
support  for  1-7 
support  in  hardware  26-18 
time  ranges  26-14 
types  supported  26-2 
unsupported  features,  IPv4  26-5 
VLAN  maps 
configuration  guidelines  26-23 
configuring  26-22 
active  links  15-2 
address  aliasing  17-2 
addresses 

displaying  the  MAC  address  table  4-26 
dynamic 

accelerated  aging  12-8 

changing  the  aging  time  4-21 

default  aging  12-8 

defined  4-19 

learning    3-10, 4-20 

removing  4-22 
MAC,  discovering  4-26 
multicast,  STP  address  management  12-8 
static 

adding  and  removing  4-24 
defined  4-19 
address  resolution  4-26 
Address  Resolution  Protocol 

See  ARP 
advertisements 

CDP  19-1 

LLDP  20-1,20-2 

VTP    9-17, 10-3 
aggregated  ports 

See  EtherChannel 
aggregate  policers  27-55 
aggregate  policing  1-8 
aging,  accelerating  12-8 


aging  time 
accelerated 
forMSTP  13-23 
for  STP    12-8, 12-21 
MAC  address  table  4-21 
maximum 
forMSTP  13-23,13-24 
for  STP    12-21, 12-22 
alarms,  RMON  23-3 
allowed- VLAN  list  9-19 
ARP 
defined  1-4,4-26 
table 

address  resolution  4-26 
managing  4-26 
attributes,  RADIUS 
vendor-proprietary  5-31 
vendor- specific  5-29 
audience  xxix 
authentication 
local  mode  with  AAA  5-36 
NTP  associations  4-4 
RADIUS 
key  5-21 
login  5-23 
TACACS+ 
defined  5-11 
key  5-13 
login  5-14 
See  also  port-based  authentication 
authentication  failed  VLAN 

See  restricted  VLAN 
authoritative  time  source,  described  4-2 
authorization 
with  RADIUS  5-27 
withTACACS+  5-11,5-16 
authorized  ports  with  IEEE  802.  lx  6-7 
autoconfiguration  3-3 
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automatic  QoS 

See  QoS 
auto-MDIX 

configuring  7-13 

described  7-13 
autonegotiation 

duplex  mode  1-3 

interface  configuration  guidelines  7-11 

mismatches  29-11 
autosensing,  port  speed  1-3 
auxiliary  VLAN 

See  voice  VLAN 
availability,  features  1-5 


B 

BackboneFast 

described  14-5 

disabling  14-14 

enabling  14-13 

support  for  1-5 
backup  interfaces 

See  Flex  Links 
backup  links  15-2 
banners 

configuring 
login  4-19 

message-of-the-day  login  4-18 

default  configuration  4-17 

when  displayed  4-17 
binding  table,  DHCP  snooping 

See  DHCP  snooping  binding  database 
blocking  packets  18-6 
booting 

boot  loader,  function  of  3-2 

boot  process  3-1 

manually  3-13 

specific  image  3-14 


boot  loader 

accessing  3-15 

described  3-2 

environment  variables  3-15 

prompt  3-15 

trap-door  mechanism  3-2 
BPDU 

error-disabled  state  14-2 

filtering  14-3 

RSTP  format  13-12 
BPDU  filtering 

described  14-3 

disabling  14-12 

enabling  14-12 

support  for  1-6 
BPDU  guard 

described  14-2 

disabling  14-12 

enabling  14-11 

support  for  1-6 
bridge  protocol  data  unit 

See  BPDU 
broadcast  storm-control  command  18-4 
broadcast  storms  18-1 

c 

cables,  monitoring  for  unidirectional  links  21-1 
CA  trustpoint 

configuring  5-45 

defined  5-42 
caution,  described  xxx 
CDP 

and  trusted  boundary  27-38 
configuring  19-2 
default  configuration  19-2 
defined  with  LLDP  20-1 
described  19-1 

disabling  for  routing  device    19-3  to  19-4 
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CDP  (continued) 
enabling  and  disabling 

on  an  interface  19-4 

on  a  switch  19-3 
monitoring  19-5 
overview  19-1 
support  for  1-4 

transmission  timer  and  holdtime,  setting  19-2 
updates  19-2 
CGMP 

as  IGMP  snooping  learning  method  17-8 

joining  multicast  group  17-3 
CipherSuites  5-44 
Cisco  7960  IP  Phone  11-1 
Cisco  Discovery  Protocol 

See  CDP 

Cisco  Intelligence  Engine  2100  Series  Configuration 
Registrar 

See  IE2100 
Cisco  IOS  File  System 

See  IFS 
Cisco  Network  Assistant 

See  Network  Assistant 
Cisco  Works  2000  1-4,25-4 
CIST  regional  root 

See  MSTP 
CIST  root 

See  MSTP 
class  maps  for  QoS 

configuring  27-45 

described  27-7 

displaying  27-75 
class  of  service 

See  CoS 
clearing  interfaces  7-17 
CLI 

abbreviating  commands  2-4 
command  modes  2-1 
configuration  logging  2-5 


CLI  (continued) 
described  1-4 
editing  features 

enabling  and  disabling  2-7 

keystroke  editing  2-7 

wrapped  lines  2-9 
error  messages  2-5 
filtering  command  output  2-10 
getting  help  2-3 
history 

changing  the  buffer  size  2-6 

described  2-6 

disabling  2-7 

recalling  commands  2-6 

no  and  default  forms  of  commands  2-4 
client  mode,  VTP  10-3 
clock 

See  system  clock 
cluster  requirements  xxx 
clusters,  switch 

benefits  1-2 
command-line  interface 

See  CLI 
command  modes  2-1 
commands 

abbreviating  2-4 

no  and  default  2-4 
commands,  setting  privilege  levels  5-8 
command  switch 

configuration  conflicts  29-11 

recovery 

from  command-switch  failure  29-8 
from  lost  member  connectivity  29-11 
replacing 
with  another  switch  29-10 
with  cluster  member  29-8 
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community  strings 

configuring  25-8 

for  cluster  switches  25-4 

overview  25-4 
compatibility,  feature  18-11 
config.text  3-12 

configurable  leave  timer,  IGMP  17-5 
configuration,  initial 

defaults  1-9 

Express  Setup  1-2 

See  also  getting  started  guide  and  hardware  installation 
guide 

configuration  conflicts,  recovering  from  lost  member 
connectivity  29-11 

configuration  files 

clearing  the  startup  configuration  B-20 

creating  using  a  text  editor  B-11 

default  name  3-12 

deleting  a  stored  configuration  B-20 

described  B-8 

downloading 

automatically  3-13 

preparing    B-11,  B-14,  B-17 

reasons  for  B-9 

using  FTP  B-14 

using  RCP  B-18 

using  TFTP  B-12 
guidelines  for  creating  and  using  B-10 
invalid  combinations  when  copying  B-5 
limiting  TFTP  server  access  25-16 
obtaining  with  DHCP  3-7 
password  recovery  disable  considerations  5-5 
specifying  the  filename  3-13 
system  contact  and  location  information  25-15 
types  and  location  B-10 


configuration  files  (continued) 
uploading 
preparing    B-11,  B-14,  B-17 
reasons  for  B-9 
using  FTP  B-15 
using  RCP  B-19 
using  TFTP  B-12 
configuration  logging  2-5 
configuration  settings,  saving  3-11 
configure  terminal  command  7-5 
config-vlan  mode    2-2, 9-6 
conflicts,  configuration  29-11 
connections,  secure  remote  5-38 
connectivity  problems    29-13, 29-14, 29-16 
consistency  checks  in  VTP  Version  2  10-4 
console  port,  connecting  to  2-10 
conventions 
command  xxx 
for  examples  xxx 
publication  xxx 
text  xxx 

corrupted  software,  recovery  steps  with  Xmodem  29-2 
CoS 

in  Layer  2  frames  27-2 

override  priority  11-6 

trust  priority  11-6 
CoS  input  queue  threshold  map  for  QoS  27-16 
CoS  output  queue  threshold  map  for  QoS  27-19 
CoS-to-DSCP  map  for  QoS  27-58 
counters,  clearing  interface  7-17 
crashinfo  file  29-22 

critical  authentication,  IEEE  802.  lx  6-33 
cryptographic  software  image 

Kerberos  5-32 

SSH  5-37 
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D 

daylight  saving  time  4-13 
debugging 

enabling  all  system  diagnostics  29-19 

enabling  for  a  specific  feature  29-19 

redirecting  error  message  output  29-20 

using  commands  29-18 
default  commands  2-4 
default  configuration 

802.  lx  6-19 

auto-QoS  27-21 

banners  4-17 

booting  3-12 

CDP  19-2 

DHCP  16-5 

DHCP  option  82  16-6 

DHCP  snooping  16-6 

DNS  4-16 

EtherChannel  28-9 

Ethernet  interfaces  7-9 

Flex  Links  15-5 

IGMP  filtering  17-24 

IGMP  snooping  17-6 

IGMP  throttling  17-24 

initial  switch  information  3-3 

Layer  2  interfaces  7-9 

LLDP  20-3 

MAC  address  table  4-21 

MAC  address-table  move  update  15-5 

MSTP  13-14 

MVR  17-19 

NTP  4-4 

optional  spanning-tree  configuration  14-9 
password  and  privilege  level  5-2 
RADIUS  5-20 
RMON  23-3 
RSPAN  22-9 
SNMP  25-7 


default  configuration  (continued) 
SPAN  22-9 
SSL  5-44 
standard  QoS  27-30 
STP  12-11 

system  message  logging  24-3 
system  name  and  prompt  4-15 
TACACS+  5-13 
UDLD  21-4 

VLAN,  Layer  2  Ethernet  interfaces  9-17 

VLANs  9-7 

VMPS  9-26 

voice  VLAN  11-3 

VTP  10-6 

default  gateway  3-10 

deleting  VLANs  9-10 

denial-of-service  attack  18-1 

description  command  7-14 

destination  addresses,  in  IPv4  ACLs  26-9 

destination-IP  address-based  forwarding, 
EtherChannel  28-7 

destination-MAC  address  forwarding,  EtherChannel  28-6 

detecting  indirect  link  failures,  STP  14-5 

device  B-20 

device  discovery  protocol  19-1,20-1 
device  manager 

benefits  1-2 

described  1-4 

in-band  management  1-5 

requirements  xxx 

upgrading  a  switch  B-20 
DHCP 

Cisco  IOS  server  database 

configuring  16-9 
enabling 

relay  agent  16-7 
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DHCP-based  autoconfiguration 
client  request  message  exchange  3-4 
configuring 

client  side  3-3 

DNS  3-6 

relay  device  3-6 

server  side  3-5 

TFTP  server  3-6 
example  3-8 
lease  options 

for  IP  address  information  3-5 

for  receiving  the  configuration  file  3-5 
overview  3-3 
relationship  to  BOOTP  3-3 
relay  support  1-4 
support  for  1-4 
DHCP  binding  table 

See  DHCP  snooping  binding  database 
DHCP  option  82 
circuit  ID  suboption  16-5 
configuration  guidelines  16-6 
default  configuration  16-5 
displaying  16-9 
overview  16-3 
packet  format,  suboption 

circuit  ID  16-5 

remote  ID  16-5 
remote  ID  suboption  16-5 
DHCP  snooping 

accepting  untrusted  packets  form  edge  switch    16-3, 16-8 

configuration  guidelines  16-6 

default  configuration  16-5 

displaying  binding  tables  16-9 

message  exchange  process  16-4 

option  82  data  insertion  16-3 

trusted  interface  16-2 

untrusted  interface  16-2 

untrusted  messages  16-2 


DHCP  snooping  binding  database 

binding  entries,  displaying  16-9 

default  configuration  16-5 

displaying  16-9 
DHCP  snooping  binding  table 

See  DHCP  snooping  binding  database 
Differentiated  Services  architecture,  QoS  27-2 
Differentiated  Services  Code  Point  27-2 
directed  unicast  requests  1-4 
directories 

changing  B-3 

creating  and  removing  B-4 

displaying  the  working  B-3 
DNS 

and  DHCP-based  autoconfiguration  3-6 
default  configuration  4-16 
displaying  the  configuration  4-17 
overview  4-15 
setting  up  4-16 
support  for  1-4 
documentation,  related  xxx 
document  conventions  xxx 
domain  names 
DNS  4-15 
VTP  10-8 
Domain  Name  System 

See  DNS 
downloading 
configuration  files 
preparing    B-1 1 ,  B-1 4,  B-1 7 
reasons  for  B-9 
using  FTP    B-1 4 
using  RCP  B-18 
using  TFTP  B-12 
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downloading  (continued) 
image  files 

deleting  old  image  B-24 

preparing    B-23,  B-26,  B-30 

reasons  for  B-20 

using  CMS  1-2 

using  FTP  B-27 

using  HTTP    1-2,  B-20 

using  RCP  B-31 

using  TFTP  B-23 

using  the  device  manager  or  Network  Assistant  B 
DSCP  1-8,27-2 

DSCP  input  queue  threshold  map  for  QoS  27-16 
DSCP  output  queue  threshold  map  for  QoS  27-19 
DSCP-to-CoS  map  for  QoS  27-61 
DSCP-to-DSCP-mutation  map  for  QoS  27-62 
DSCP  transparency  27-39 
DTP  1-6,9-15 
dynamic  access  ports 

characteristics  9-3 

configuring  9-28 

defined  7-2 
dynamic  addresses 

See  addresses 
dynamic  auto  trunking  mode  9-16 
dynamic  desirable  trunking  mode  9-16 
Dynamic  Host  Configuration  Protocol 

See  DHCP-based  autoconfiguration 
dynamic  port  VLAN  membership 

described  9-26 

reconfirming  9-29 

troubleshooting  9-30 

types  of  connections  9-28 
Dynamic  Trunking  Protocol 

See  DTP 


editing  features 
enabling  and  disabling  2-7 
keystrokes  used  2-7 
wrapped  lines  2-9 
enable  password  5-3 
enable  secret  password  5-3 
encryption,  CipherSuite  5-44 
encryption  for  passwords  5-3 
environment  variables,  function  of  3-16 
error-disabled  state 

BPDU  14-2 
error  messages  during  command  entry  2-5 
EtherChannel 
automatic  creation  of    28-4, 28-5 
channel  groups 
binding  physical  and  logical  interfaces  28-3 
numbering  of  28-3 
configuration  guidelines  28-9 
configuring  Layer  2  interfaces  28-10 
default  configuration  28-9 
described  28-2 
displaying  status  28-17 
forwarding  methods    28-6, 28-12 
IEEE  802.3ad,  described  28-5 
interaction 
with  STP  28-9 
with  VLANs  28-10 
LACP 
described  28-5 
displaying  status  28-17 
hot-standby  ports  28-14 
interaction  with  other  features  28-6 
modes  28-5 
port  priority  28-16 
system  priority  28-15 
load  balancing    28-6, 28-12 
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PAgP 

aggregate-port  learners  28-13 

compatibility  with  Catalyst  190  0  28-13 

described  28-4 

displaying  status  28-17 

interaction  with  other  features  28-5 

learn  method  and  priority  configuration  28-13 

modes  28-4 

support  for  1-3 
port-channel  interfaces 

described  28-3 

numbering  of  28-3 
port  groups  7-3 
support  for  1-3 
EtherChannel  guard 
described  14-7 
disabling  14-14 
enabling  14-14 
Ethernet  VLANs 
adding  9-8 

defaults  and  ranges  9-7 

modifying  9-8 
events,  RMON  23-3 
examples 

conventions  for  xxx 
expedite  queue  for  QoS  27-74 
Express  Setup  1-2 

See  also  getting  started  guide 
extended  crashinfo  file  29-22 
extended-range  VLANs 

configuration  guidelines  9-12 

configuring  9-11 

creating  9-12 

defined  9-1 
extended  system  ID 

MSTP  13-17 

STP    12-4, 12-14 
Extensible  Authentication  Protocol  over  LAN  6-1 


F 

faO  interface  1-5 
features,  incompatible  18-11 
fiber-optic,  detecting  unidirectional  links 
files 
basic  crashinfo 
description  29-22 
location  29-22 
copying  B-4 
crashinfo 

description  29-22 
deleting  B-5 

displaying  the  contents  of  B-8 
extended  crashinfo 

description  29-22 

location  29-22 
tar 

creating  B-6 

displaying  the  contents  of  B-6 
extracting  B-8 
image  file  format  B-21 
file  system 

displaying  available  file  systems  B-2 

displaying  file  information  B-3 

local  file  system  names  B-1 

network  file  system  names  B-4 

setting  the  default  B-3 
filtering 

in  a  VLAN  26-22 

non-IP  traffic  26-20 

show  and  more  command  output  2-10 
filtering  show  and  more  command  output 
filters,  IP 

See  ACLs,  IP 
flash  device,  number  of  B-1 
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Flex  Links 

configuration  guidelines  15-5 

configuring    15-6, 15-7 

configuring  preferred  VLAN  15-9 

configuring  VLAN  load  balancing  15-8 

default  configuration  15-5 

description  15-1 

link  load  balancing  15-2 

monitoring  15-11 

VLANs  15-2 
flooded  traffic,  blocking  18-7 
flow-based  packet  classification  1-8 
flowcharts 

QoS  classification  27-6 

QoS  egress  queueing  and  scheduling  27-17 

QoS  ingress  queueing  and  scheduling  27-15 

QoS  policing  and  marking  27-10 
flowcontrol 

configuring  7-12 

described  7-12 
forward-delay  time 

MSTP  13-23 

STP  12-21 
FTP 

accessing  MIB  files  A-3 
configuration  files 

downloading  B-14 

overview  B-13 

preparing  the  server  B-14 

uploading  B-15 
image  files 

deleting  old  image  B-28 

downloading  B-27 

preparing  the  server  B-26 

uploading  B-28 


get-next-request  operation    25-3, 25-5 
get-request  operation    25-3, 25-5 
get-response  operation  25-3 
global  configuration  mode  2-2 
global  leave,  IGMP  17-12 
guest  VLAN  and  802 . 1  x    6-1 2 
guide 

audience  xxix 

purpose  of  xxix 
guide  mode  1-2 
GUIs 

See  device  manager  and  Network  Assistant 

H 

hello  time 
MSTP  13-22 
STP  12-20 

help,  for  the  command  line  2-3 
hierarchical  policy  maps  27-8 

configuration  guidelines  27-32 

configuring  27-50 

described  27-11 
history 

changing  the  buffer  size  2-6 

described  2-6 

disabling  2-7 

recalling  commands  2-6 
history  table,  level  and  number  of  syslog  messages  24-9 
hosts,  limit  on  dynamic  ports  9-30 
HP  Open  View  1-4 
HTTP  over  SSL 

see  HTTPS 
HTTPS  5-42 

configuring  5-46 

self-signed  certificate  5-43 
HTTP  secure  server  5-42 


get-bulk-request  operation  25-3 
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ICMP 

time-exceeded  messages  29-16 

traceroute  and  29-16 
ICMP  ping 

executing  29-13 

overview  29-13 
IDS  appliances 

and  ingress  RSPAN  22-20 

and  ingress  SPAN  22-13 
IEEE  802. ID 

See  STP 
IEEE  802.  lp  11-1 
IEEE  802. 1Q 

and  trunk  ports  7-3 

configuration  limitations  9-16 

encapsulation  9-14 

native  VLAN  for  untagged  traffic  9-21 
IEEE  802.1s 

See  MSTP 
IEEE  802.  lw 

See  RSTP 
IEEE  802.  lx 

See  port-based  authentication 
IEEE  802.3ad 

See  EtherChannel 
IEEE  802.3x  flow  control  7-12 
iflndex  values,  SNMP  25-6 
IFS  1-5 
IGMP 

configurable  leave  timer 
described  17-5 
enabling  17-11 


IGMP  (continued) 
flooded  multicast  traffic 

controlling  the  length  of  time  17-12 

disabling  on  an  interface  17-13 

global  leave  17-12 

query  solicitation  17-12 

recovering  from  flood  mode  17-12 
joining  multicast  group  17-3 
join  messages  17-3 
leave  processing,  enabling  17-10 
leaving  multicast  group  17-5 
queries  17-4 
report  suppression 

described  17-6 

disabling  17-15 
supported  versions  17-2 
support  for  1-3 
IGMP  filtering 
configuring  17-24 
default  configuration  17-24 
described  17-23 
monitoring  17-28 
support  for  1-3 
IGMP  groups 
configuring  filtering  17-27 
setting  the  maximum  number  17-26 
IGMP  Immediate  Leave 
configuration  guidelines  17-11 
described  17-5 
enabling  17-10 
IGMP  profile 
applying  17-25 
configuration  mode  17-24 
configuring  17-25 
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IGMP  snooping 
and  address  aliasing  17-2 
configuring  17-6 
default  configuration  17-6 
definition  17-1 
enabling  and  disabling  17-7 
global  configuration  17-7 
Immediate  Leave  17-5 
method  17-8 
monitoring  17-15 
querier 

configuration  guidelines  17-13 
configuring  17-13 

supported  versions  17-2 

support  for  1-3 

VLAN  configuration  17-7 
IGMP  throttling 

configuring  17-27 

default  configuration  17-24 

described  17-24 

displaying  action  17-28 
Immediate  Leave,  IGMP  17-5 
inaccessible  authentication  bypass  6-14 
initial  configuration 

defaults  1-9 

Express  Setup  1-2 

See  also  getting  started  guide  and  hardware  ins 
guide 

interface 

range  macros  7-7 
interface  command    7-4  to  7-5 
interface  configuration  mode  2-3 
interfaces 

auto-MDIX,  configuring  7-13 

configuration  guidelines 
duplex  and  speed  7-10 

configuring 
procedure  7-5 


interfaces  (continued) 

counters,  clearing  7-17 

default  configuration  7-9 

described  7-14 

descriptive  name,  adding  7-14 

displaying  information  about  7-16 

flow  control  7-12 

management  1-4 

monitoring  7-16 

naming  7-14 

physical,  identifying  7-4 

range  of  7-6 

restarting  7-17 

shutting  down  7-17 

speed  and  duplex,  configuring  7-11 

status  7-16 

supported  7-4 

types  of  7-1 
interfaces  range  macro  command  7-7 
interface  types  7-4 
Inter-Switch  Link 

See ISL 
Intrusion  Detection  System 

See  IDS  appliances 
IP  ACLs 

for  QoS  classification  27-7 

implicit  deny  26-8,26-11 

implicit  masks  26-8 

named  26-12 

undefined  26-17 
IP  addresses 

discovering  4-26 
ip  igmp  profile  command  17-24 
IP  information 

assigned 
manually  3-10 

through  DHCP-based  autoconfiguration  3-3 
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configuring  11-4 

ensuring  port  security  with  QoS  27-37 
trusted  boundary  for  QoS  27-37 
IP  precedence  27-2 

IP-precedence-to-DSCP  map  for  QoS  27-59 
IP  protocols  in  ACLs  26-9 
IP  traceroute 

executing  29-17 

overview  29-16 
IPv4  ACLs 

applying  to  interfaces  26-17 

extended,  creating  26-8 

named  26-12 

standard,  creating  26-7 
ISL 

and  trunk  ports  7-3 
encapsulation  9-14 

J 

join  messages,  IGMP  17-3 
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KDC 
described  5-32 
See  also  Kerberos 
Kerberos 
authenticating  to 
boundary  switch  5-34 
KDC  5-34 

network  services  5-35 
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configuring  5-35 
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credentials  5-32 

cryptographic  software  image  5-32 

described  5-32 

KDC  5-32 

operation  5-34 

realm  5-33 

server  5-34 

support  for  1-8 

switch  as  trusted  third  party  5-32 
terms  5-33 
TGT  5-34 
tickets  5-32 
key  distribution  center 
See  KDC 

L 

LACP 

See  EtherChannel 
Layer  2  frames,  classification  with  CoS  27-2 
Layer  2  interfaces,  default  configuration  7-9 
Layer  2  traceroute 

and  ARP  29-15 

and  CDP  29-15 

broadcast  traffic  29-14 

described  29-14 

IP  addresses  and  subnets  29-15 

MAC  addresses  and  VLANs  29-15 

multicast  traffic  29-15 

multiple  devices  on  a  port  29-15 

unicast  traffic  29-14 

usage  guidelines  29-15 
Layer  2  trunk  failover 

described  28-17 
Layer  3  packets,  classification  methods  27-2 
LEDs,  switch 
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Link  Aggregation  Control  Protocol 

See  EtherChannel 
Link  Failure 

detecting  unidirectional  13-8 
Link  Layer  Discovery  Protocol 

See  CDP 
link  redundancy 

See  Flex  Links 
links,  unidirectional  21-1 
LLDP 

configuring  20-3 
characteristics  20-3 
default  configuration  20-3 

disabling  and  enabling 
globally  20-4 
on  an  interface  20-5 

monitoring  and  maintaining  20-7 

overview  20-1 

supported  tlvs  20-1 

switch  stack  considerations  20-2 

transmission  timer  and  holdtime,  setting  20-3 
LLDP-MED 

configuring  20-3 
tlvs  20-6 

monitoring  and  maintaining  20-7 

overview  20-1,20-2 

supported  tlvs  20-2 
LLDP  Media  Endpoint  Discovery 

See  LLDP-MED 
local  SPAN  22-2 
login  authentication 

with  RADIUS  5-23 

with  TACACS+  5-14 
login  banners  4-17 
log  messages 

See  system  message  logging 
Long-Reach  Ethernet  (LRE)  technology  1-13 


loop  guard 
described  14-9 
enabling  14-15 
support  for  1-6 

M 

MAC  3-10 

MAC  addresses 
aging  time  4-21 
and  VLAN  association  4-20 
building  the  address  table  4-20 
default  configuration  4-21 
discovering  4-26 
displaying  4-26 
dynamic 

learning  4-20 

removing  4-22 
in  ACLs  26-20 

manually  assigning  IP  address  3-10 
static 

adding  4-24 

allowing  4-25 

characteristics  of  4-24 

dropping  4-25 

removing  4-24 
MAC  address  notification,  support  for  1-9 
MAC  address-table  move  update 
configuration  guidelines  15-5 
configuring  15-9 
default  configuration  15-5 
description  15-3 
monitoring  15-11 
MAC  address-to- VLAN  mapping  9-25 
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MAC  extended  access  lists 

applying  to  Layer  2  interfaces  26-21 
configuring  for  QoS  27-44 
creating  26-20 
defined  26-20 
for  QoS  classification  27-5 
macros 

See  Smartports  macros 
magic  packet  6-16 
manageability  features  1-4 
management  access 
in-band 
browser  session  1-5 
CLI  session  1-5 
device  manager  1-5 
SNMP  1-5 
out-of-band  console  port  connection  1-5 
management  options 
CLI  2-1 
clustering  1-2 
Network  Assistant  1-2 
overview  1-4 
mapping  tables  for  QoS 
configuring 
CoS-to-DSCP  27-58 
DSCP  27-57 
DSCP-to-CoS  27-61 
DSCP-to-DSCP-mutation  27-62 
IP-precedence-to-DSCP  27-59 
policed-DSCP  27-60 
described  27-12 
marking 
action  in  policy  map  27-47 
action  with  aggregate  policers  27-55 
described    27-4, 27-8 
matching,  IPv4  ACLs  26-6 
maximum  aging  time 
MSTP  13-23 
STP  12-21 


maximum  hop  count,  MSTP  13-24 
membership  mode,  VLAN  port  9-3 
member  switch 

recovering  from  lost  connectivity  29-11 
messages 

to  users  through  banners  4-17 
messages,  to  users  through  banners  4-17 
MIBs 

accessing  files  with  FTP  A-3 

location  of  files  A-3 

overview  25-1 

SNMP  interaction  with  25-4 

supported  A-1 
mirroring  traffic  for  analysis  22-1 
mismatches,  autonegotiation  29-11 
module  number  7-4 
monitoring 

access  groups  26-29 

cables  for  unidirectional  links  21-1 

CDP  19-5 

features  1-9 

Flex  Links  15-11 

IGMP 
filters  17-28 
snooping  17-15 

interfaces  7-16 

IPv4  ACL  configuration  26-29 

MAC  address-table  move  update  15-11 

multicast  router  interfaces  17-16 

MVR  17-23 

network  traffic  for  analysis  with  probe  22-2 
port 

blocking  18-17 

protection  18-17 
SFP  status  7-16,29-12 
speed  and  duplex  mode  7-11 
traffic  flowing  among  switches  23-1 
traffic  suppression  18-17 
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monitoring  (continued) 
VLAN 

filters  26-29 

maps  26-29 
VLANs  9-14 
VMPS  9-30 
VTP  10-16 
more  6-41 
MSTP 
boundary  ports 

configuration  guidelines  13-15 

described  13-6 
BPDU  filtering 

described  14-3 

enabling  14-12 
BPDU  guard 

described  14-2 

enabling  14-11 
CIST,  described  13-3 
CIST  regional  root  13-3 
CIST  root  13-5 

configuration  guidelines    13-15, 14-10 
configuring 

forward-delay  time  13-23 

hello  time  13-22 

link  type  for  rapid  convergence  13-24 
maximum  aging  time  13-23 
maximum  hop  count  13-24 
MST  region  13-16 
neighbor  type  13-25 
path  cost  13-20 
port  priority  13-19 
root  switch  13-17 
secondary  root  switch  13-18 
switch  priority  13-21 
CST 
defined  13-3 

operations  between  regions  13-4 


MSTP  (continued) 
default  configuration  13-14 
default  optional  feature  configuration  14-9 
displaying  status  13-26 
enabling  the  mode  13-16 
EtherChannel  guard 

described  14-7 

enabling  14-14 
extended  system  ID 

effects  on  root  switch  13-17 

effects  on  secondary  root  switch  13-18 

unexpected  behavior  13-17 
IEEE  802.1s 

implementation  13-6 

port  role  naming  change  13-7 

terminology  13-5 
instances  supported  12-9 
interface  state,  blocking  to  forwarding  14-2 
interoperability  and  compatibility  among  modes  12-10 
interoperability  with  IEEE  802.  ID 

described  13-8 

restarting  migration  process  13-25 
1ST 
defined  13-3 
master  13-3 

operations  within  a  region  13-3 
loop  guard 

described  14-9 

enabling  14-15 
mapping  VLANs  to  MST  instance  13-16 
MST  region 

CIST  13-3 

configuring  13-16 

described  13-2 

hop-count  mechanism  13-5 

1ST  13-3 

supported  spanning-tree  instances  13-2 
optional  features  supported  1-6 
overview  13-2 
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MSTP  (continued) 
Port  Fast 
described  14-2 
enabling  14-10 
preventing  root  switch  selection  14-8 
root  guard 
described  14-8 
enabling  14-15 
root  switch 
configuring  13-17 
effects  of  extended  system  ID  13-17 
unexpected  behavior  13-17 
shutdown  Port  Fast-enabled  port  14-2 
status,  displaying  13-26 
multicast  groups 
Immediate  Leave  17-5 
joining  17-3 
leaving  17-5 
static  joins  17-9 
multicast  packets 
blocking  18-7 
multicast  packets,  blocking  18-7 
multicast  router  interfaces,  monitoring  17-16 
multicast  router  ports,  adding  17-9 
multicast  storm  18-1 
multicast  storm-control  command  18-4 
multicast  television  application  17-18 
multicast  VLAN  17-17 
Multicast  VLAN  Registration 

See  MVR 
MVR 

and  address  aliasing  17-20 
andIGMPv3  17-20 
configuration  guidelines  17-20 
configuring  interfaces  17-21 
default  configuration  17-19 
described  17-17 
example  application  17-18 
modes  17-21 


MVR  (continued) 
monitoring  17-23 

multicast  television  application  17-18 
setting  global  parameters  17-20 
support  for  1-3 

N 

NAC 

critical  authentication    6-14,  6-33 

inaccessible  authentication  bypass  6-33 

Layer  2  IEEE  802.  lx  validation  1-7 
named  IPv4  ACLs  26-12 
native  VLAN 

configuring  9-21 

default  9-21 
Network  Admission  Control 

See  NAC 
Network  Assistant 

benefits  1-2 

described  1-4 

downloading  image  files  1-2 

guide  mode  1-2 

management  options  1-2 

requirements  xxx 

wizards  1-2 
network  configuration  examples 

increasing  network  performance  1-12 

providing  network  services  1-12 

server  aggregation  and  Linux  server  cluster  1-14 
network  design 

performance  1-12 

services  1-12 
network  management 

CDP  19-1 

RMON  23-1 

SNMP  25-1 
Network  Time  Protocol 

See  NTP 
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no  commands  2-4 
nonhierarchical  policy  maps 

configuration  guidelines  27-32 

configuring  27-47 

described  27-9 
non-IP  traffic  filtering  26-20 
nontrunking  mode  9-16 
normal-range  VLANs  9-4 

configuration  guidelines  9-5 

configuration  modes  9-6 

configuring  9-4 

defined  9-1 
note,  described  xxx 
NTP 

associations 
authenticating  4-4 
defined  4-2 

enabling  broadcast  messages  4-6 

peer  4-5 

server  4-5 
default  configuration  4-4 
displaying  the  configuration  4-11 
overview  4-2 
restricting  access 

creating  an  access  group  4-8 

disabling  NTP  services  per  interface  4-10 
source  IP  address,  configuring  4-10 
stratum  4-2 
support  for  1-5 
synchronizing  devices  4-5 
time 

services  4-2 

synchronizing  4-2 

o 

options,  management  1-4 
out-of-profile  markdown  1-8 


P 

packet  modification,  with  QoS  27-19 
PAgP 

See  EtherChannel 
passwords 

default  configuration  5-2 

disabling  recovery  of  5-5 

encrypting  5-3 

for  security  1-7 

overview  5-1 

recovery  of  29-3 

setting 
enable  5-3 
enable  secret  5-3 
Telnet  5-6 
with  usernames  5-6 

VTP  domain  10-8 
path  cost 

MSTP  13-20 

STP  12-18 
performance,  network  design  1-12 
performance  features  1-3 
persistent  self-signed  certificate  5-43 
per-VLAN  spanning-tree  plus 

See  PVST+ 
physical  ports  7-2 

PIM-DVMRP,  as  snooping  method  17-8 
ping 

character  output  description  29-14 

executing  29-13 

overview  29-13 
policed-DSCP  map  for  QoS  27-60 
policers 

configuring 
for  each  matched  traffic  class  27-47 
for  more  than  one  traffic  class  27-55 

described  27-4 

displaying  27-75 


IN-18 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


Index  B 


policers  (continued) 
number  of  27-33 
types  of  27-9 
policing 
described  27-4 
hierarchical 

See  hierarchical  policy  maps 
token-bucket  algorithm  27-9 
policy  maps  for  QoS 
characteristics  of  27-47 
described  27-7 
displaying  27-76 
hierarchical  27-8 
hierarchical  on  SVIs 

configuration  guidelines  27-32 

configuring  27-50 

described  27-11 
nonhierarchical  on  physical  ports 

configuration  guidelines  27-32 

configuring  27-47 

described  27-9 
port  ACLs 
defined  26-2 
types  of  26-2 
Port  Aggregation  Protocol 

See  EtherChannel 
port-based  authentication 
accounting  6-9 
authentication  server 

defined  6-2 

RADIUS  server  6-2 
client,  defined  6-2 
configuration  guidelines  6-21 


port-based  authentication  (continued) 
configuring 

802.  lx  authentication  6-23 
guest  VLAN  6-31 
host  mode  6-26 

inaccessible  authentication  bypass  6-33 
manual  re-authentication  of  a  client  6-27 
periodic  re-authentication  6-26 
quiet  period  6-27 
RADIUS  server  6-25 

RADIUS  server  parameters  on  the  switch  6-24 
restricted  VLAN  6-32 

switch-to-client  frame-retransmission  number  6-29 

switch-to-client  retransmission  time  6-28 
default  configuration  6-19 
described  6-1 
device  roles  6-2 
displaying  statistics  6-42 
EAPOL-start  frame  6-5 
EAP-request/identity  frame  6-5 
EAP-response/identity  frame  6-5 
encapsulation  6-3 
guest  VLAN 

configuration  guidelines  6-13,6-14 

described  6-12 
host  mode  6-8 

inaccessible  authentication  bypass 

configuring  6-33 

described  6-14 

guidelines  6-22 
initiation  and  message  exchange  6-5 
magic  packet  6-16 
method  lists  6-23 
multiple-hosts  mode,  described  6-8 
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port-based  authentication  (continued) 
per-user  ACLs 
AAA  authorization  6-23 
configuration  tasks  6-12 
described  6-11 

RADIUS  server  attributes  6-11 
ports 

authorization  state  and  dotlx  port-control 
command  6-7 

authorized  and  unauthorized  6-7 

critical  6-14 

voice  VLAN  6-15 
port  security 

and  voice  VLAN  6-16 

described  6-16 

interactions  6-16 

multiple-hosts  mode  6-8 
resetting  to  default  values  6-42 
statistics,  displaying  6-42 
switch 

as  proxy  6-3 

RADIUS  client  6-3 
upgrading  from  a  previous  release  6-23 
VLAN  assignment 

AAA  authorization  6-23 

characteristics  6-10 

configuration  tasks  6-11 

described  6-10 
voice  VLAN 

described  6-15 

PVID  6-15 

VVID  6-15 
wake-on-LAN,  described  6-16 
port  blocking  1-3,18-6 
port-channel 

See  EtherChannel 


Port  Fast 

described  14-2 

enabling  14-10 

mode,  spanning  tree  9-27 

support  for  1-6 
port  membership  modes,  VLAN  9-3 
port  priority 

MSTP  13-19 

STP  12-16 
ports 

access  7-2 

blocking  18-6 

dynamic  access  9-3 

protected  18-5 

secure  18-7 

static-access  9-3,9-10 

switch  7-2 

trunks    9-3, 9-14 

VLAN  assignments  9-10 
port  security 

aging  18-16 

and  QoS  trusted  boundary  27-37 

configuring  18-11 

default  configuration  18-10 

described  18-7 

displaying  18-17 

on  trunk  ports  18-13 

sticky  learning  18-8 

violations  18-9 

with  other  features  18-10 
port-shutdown  response,  VMPS  9-26 
preemption 

default  configuration  15-5 
preemption  delay 

default  configuration  15-5 
preferential  treatment  of  traffic 

See  QoS 

preventing  unauthorized  access  5-1 
primary  links  15-2 
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priority 

overriding  CoS  11-6 

trusting  CoS  11-6 
private  VLAN  edge  ports 

See  protected  ports 
privileged  EXEC  mode  2-2 
privilege  levels 

changing  the  default  for  lines  5-9 

exiting  5-9 

logging  into  5-9 

overview    5-2, 5-7 

setting  a  command  with  5-8 
protected  ports  1-7,18-5 
pruning,  VTP 

disabling 
in  VTP  domain  10-14 
on  a  port  9-21 

enabling 
in  VTP  domain  10-14 
on  a  port  9-20 

examples  10-5 

overview  10-4 
pruning-eligible  list 

changing  9-20 

for  VTP  pruning  10-4 

VLANs  10-14 
PVST+ 

described  12-9 

IEEE  802. 1Q  trunking  interoperability  12-10 
instances  supported  12-9 
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QoS 

and  MQC  commands  27-1 
auto-QoS 

categorizing  traffic  27-21 

configuration  and  defaults  display  27-29 

configuration  guidelines  27-25 

described  27-20 

disabling  27-26 

displaying  generated  commands  27-26 

displaying  the  initial  configuration  27-29 

effects  on  running  configuration  27-25 

egress  queue  defaults  27-21 

enabling  for  VoIP  27-26 

example  configuration  27-27 

ingress  queue  defaults  27-21 

list  of  generated  commands  27-22 
basic  model  27-4 
classification 

class  maps,  described  27-7 

defined  27-4 

DSCP  transparency,  described  27-39 
flowchart  27-6 
forwarding  treatment  27-3 
in  frames  and  packets  27-3 
IP  ACLs,  described    27-5, 27-7 
MAC  ACLs,  described    27-5, 27-7 
options  for  IP  traffic  27-5 
options  for  non-IP  traffic  27-5 
policy  maps,  described  27-7 
trust  DSCP,  described  27-5 
trusted  CoS,  described  27-5 
trust  IP  precedence,  described  27-5 
class  maps 
configuring  27-45 
displaying  27-75 
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QoS  (continued) 
configuration  guidelines 

auto-QoS  27-25 

standard  QoS  27-32 
configuring 

aggregate  policers  27-55 

auto-QoS  27-20 

default  port  CoS  value  27-37 

DSCP  maps  27-57 

DSCP  transparency  27-39 

DSCP  trust  states  bordering  another  domain  27-39 

egress  queue  characteristics  27-67 

ingress  queue  characteristics  27-63 

IP  extended  ACLs  27-43 

IP  standard  ACLs  27-42 

MAC  ACLs  27-44 

policy  maps,  hierarchical  27-50 

policy  maps  on  physical  ports  27-47 

port  trust  states  within  the  domain  27-35 

trusted  boundary  27-37 
default  auto  configuration  27-21 
default  standard  configuration  27-30 
displaying  statistics  27-75 
DSCP  transparency  27-39 
egress  queues 

allocating  buffer  space  27-68 

buffer  allocation  scheme,  described  27-18 

configuring  shaped  weights  for  SRR  27-72 

configuring  shared  weights  for  SRR  27-73 

described  27-4 

displaying  the  threshold  map  27-71 
flowchart  27-17 

mapping  DSCP  or  CoS  values  27-70 
scheduling,  described  27-4 
setting  WTD  thresholds  27-68 
WTD,  described  27-19 
enabling  globally  27-34 


QoS  (continued) 
flowcharts 
classification  27-6 

egress  queueing  and  scheduling  27-17 
ingress  queueing  and  scheduling  27-15 
policing  and  marking  27-10 

implicit  deny  27-7 

ingress  queues 
allocating  bandwidth  27-65 
allocating  buffer  space  27-65 
buffer  and  bandwidth  allocation,  described  27-16 
configuring  shared  weights  for  SRR  27-65 
configuring  the  priority  queue  27-66 
described  27-4 

displaying  the  threshold  map  27-64 
flowchart  27-15 

mapping  DSCP  or  CoS  values  27-64 
priority  queue,  described  27-16 
scheduling,  described  27-4 
setting  WTD  thresholds  27-64 
WTD,  described  27-16 
IP  phones 

automatic  classification  and  queueing  27-20 

detection  and  trusted  settings    27-20, 27-37 
limiting  bandwidth  on  egress  interface  27-74 
mapping  tables 

CoS-to-DSCP  27-58 

displaying  27-75 

DSCP-to-CoS  27-61 

DSCP-to-DSCP-mutation  27-62 

IP-precedence-to-DSCP  27-59 

policed-DSCP  27-60 

types  of  27-12 
marked-down  actions    27-49, 27-53 
marking,  described    27-4, 27-8 
overview  27-1 
packet  modification  27-19 
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QoS  (continued) 
policers 

configuring    27-49, 27-53, 27-56 

described  27-8 

displaying  27-75 

number  of  27-33 

types  of  27-9 
policies,  attaching  to  an  interface  27-8 
policing 

described    27-4, 27-8 

token  bucket  algorithm  27-9 
policy  maps 

characteristics  of  27-47 

displaying  27-76 

hierarchical  27-8 

hierarchical  on  SVIs  27-50 

nonhierarchical  on  physical  ports  27-47 
QoS  label,  defined  27-4 
queues 

configuring  egress  characteristics  27-67 

configuring  ingress  characteristics  27-63 

high  priority  (expedite)    27-19, 27-74 

location  of  27-13 

SRR,  described  27-14 

WTD,  described  27-13 
rewrites  27-19 
support  for  1-8 
trust  states 

bordering  another  domain  27-39 

described  27-5 

trusted  device  27-37 

within  the  domain  27-35 
quality  of  service 

See  QoS 
queries,  IGMP  17-4 
query  solicitation,  IGMP  17-12 


R 

RADIUS 
attributes 

vendor-proprietary  5-31 

vendor-specific  5-29 
configuring 

accounting  5-28 

authentication  5-23 

authorization  5-27 

communication,  global    5-21,  5-29 

communication,  per-server    5-20, 5-21 

multiple  UDP  ports  5-20 
default  configuration  5-20 
defining  AAA  server  groups  5-25 
displaying  the  configuration  5-31 
identifying  the  server  5-20 
limiting  the  services  to  the  user  5-27 
method  list,  defined  5-19 
operation  of  5-19 
overview  5-18 

suggested  network  environments  5-18 
support  for  1-7 

tracking  services  accessed  by  user  5-28 
range 

macro  7-7 

of  interfaces  7-6 
rapid  convergence  13-10 
rapid  per-VLAN  spanning-tree  plus 

See  rapid  PVST+ 
rapid  PVST+ 

described  12-9 

IEEE  802. 1Q  trunking  interoperability  12-10 
instances  supported  12-9 
Rapid  Spanning  Tree  Protocol 
See  RSTP 
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RCP 

configuration  files 
downloading  B-18 
overview  B-17 
preparing  the  server  B-17 
uploading  B-19 
image  files 
deleting  old  image  B-33 
downloading  B-31 
preparing  the  server  B-30 
uploading  B-33 
reconfirmation  interval,  VMPS,  changing  9-29 
reconfirming  dynamic  VLAN  membership  9-29 
recovery  procedures  29-1 
redundancy 
EtherChannel  28-2 
STP 
backbone  12-8 
path  cost  9-24 
port  priority  9-22 
redundant  links  and  UplinkFast  14-13 
reloading  software  3-16 
Remote  Authentication  Dial-In  User  Service 

See  RADIUS 
Remote  Copy  Protocol 

See  RCP 
Remote  Network  Monitoring 

See  RMON 
Remote  SPAN 
See  RSPAN 
remote  SPAN  22-2 
report  suppression,  IGMP 
described  17-6 
disabling  17-15 
requirements 
cluster  xxx 
device  manager  xxx 
Network  Assistant  xxx 
resequencing  ACL  entries  26-12 


resetting  a  UDLD-shutdown  interface  21-6 
restricted  VLAN 

configuring  6-32 

described  6-13 

using  with  IEEE  802. 1  x  6-13 
restricting  access 

NTP  services  4-8 

overview  5-1 

passwords  and  privilege  levels  5-2 

RADIUS  5-17 

TACACS+  5-10 
retry  count,  VMPS,  changing  9-29 
RFC 

1 1 1 2,  IP  multicast  and  IGMP    1 7-2 

1157,  SNMPvl  25-2 

1305,  NTP  4-2 

1757,  RMON  23-2 

1901,  SNMPv2C  25-2 

1902  to  1907,  SNMPv2  25-2 

2236,  IP  multicast  and  IGMP  17-2 

2273-2275,  SNMPv3  25-2 
RMON 

default  configuration  23-3 

displaying  status  23-6 

enabling  alarms  and  events  23-3 

groups  supported  23-2 

overview  23-1 

statistics 
collecting  group  Ethernet  23-5 
collecting  group  history  23-5 

support  for  1-9 
root  guard 

described  14-8 

enabling  14-15 

support  for  1-6 
root  switch 

MSTP  13-17 

STP  12-14 


IN-24 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


Index  B 


RSPAN 
characteristics  22-7 
configuration  guidelines  22-15 
default  configuration  22-9 
defined  22-2 
destination  ports  22-6 
displaying  status  22-23 
interaction  with  other  features  22-8 
monitored  ports  22-5 
monitoring  ports  22-6 
overview  1-9,22-1 
received  traffic  22-4 
sessions 

creating  22-16 

defined  22-3 

limiting  source  traffic  to  specific  VLANs  22-22 

specifying  monitored  ports  22-16 

with  ingress  traffic  enabled  22-20 
source  ports  22-5 
transmitted  traffic  22-5 
VLAN-based  22-6 
RSTP 

active  topology  13-9 
BPDU 

format  13-12 

processing  13-13 
designated  port,  defined  13-9 
designated  switch,  defined  13-9 
interoperability  with  IEEE  802. ID 

described  13-8 

restarting  migration  process  13-25 

topology  changes  13-13 
overview  13-8 
port  roles 

described  13-9 

synchronized  13-11 
proposal-agreement  handshake  process  13-10 


RSTP  (continued) 
rapid  convergence 
described  13-10 
edge  ports  and  Port  Fast  13-10 
point-to-point  links    1 3-1 0, 1 3-24 
root  ports  13-10 
root  port,  defined  13-9 
See  also  MSTP 
running  configuration,  saving  3-11 


s 

scheduled  reloads  3-16 
secure  HTTP  client 

configuring  5-47 

displaying  5-48 
secure  HTTP  server 

configuring  5-46 

displaying  5-48 
secure  MAC  addresses 

deleting  18-15 

maximum  number  of  18-9 

types  of  18-8 
secure  ports 

configuring  18-7 
secure  remote  connections  5-38 
Secure  Shell 

See  SSH 
Secure  Socket  Layer 

See  SSL 
security,  port  18-7 
security  features  1-7 
sequence  numbers  in  log  messages  24-7 
server  mode,  VTP  10-3 

service-provider  network,  MSTP  and  RSTP  13-1 

set-request  operation  25-5 

setup  program 
failed  command  switch  replacement  29-10 
replacing  failed  command  switch  29-8 
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severity  levels,  defining  in  system  messages  24-8 
SFPs 

monitoring  status  of  7-16,29-12 
security  and  identification  29-12 
status,  displaying  29-12 
shaped  round  robin 
See  SRR 

show  access-lists  hw-summary  command  26-18 

show  and  more  command  output,  filtering  2-10 

show  cdp  traffic  command  19-5 

show  configuration  command  7-14 

show  forward  command  29-20 

show  interfaces  command    7-11,  7-14 

show  lldp  traffic  command  20-7 

show  platform  forward  command  29-20 

show  running-config  command 

displaying  ACLs    26-1 7, 26-24, 26-26 

interface  description  in  7-14 
shutdown  command  on  interfaces  7-17 
Simple  Network  Management  Protocol 

See  SNMP 
Smartports  macros 

applying  Cisco-default  macros  8-6 

applying  global  parameter  values    8-5,  8-6 

applying  macros  8-5 

applying  parameter  values    8-5, 8-7 

configuration  guidelines  8-3 

creating  8-4 

default  configuration  8-2 

defined  8-1 

displaying  8-8 

tracing  8-3 

website  8-2 
SNAP  19-1 
SNMP 

accessing  MIB  variables  with  25-4 
agent 

described  25-4 

disabling  25-8 


SNMP  (continued) 
authentication  level  25-11 
community  strings 

configuring  25-8 

for  cluster  switches  25-4 

overview  25-4 
configuration  examples  25-16 
default  configuration  25-7 
engine  ID  25-7 
groups  25-7,25-10 
host  25-7 
iflndex  values  25-6 
in-band  management  1-5 
informs 

and  trap  keyword  25-12 

described  25-5 

differences  from  traps  25-5 

disabling  25-15 

enabling  25-15 
limiting  access  by  TFTP  servers  25-16 
limiting  system  log  messages  to  NMS  24-9 
manager  functions    1-4, 25-3 
MIBs 

location  of  A-3 

supported  A-1 
notifications  25-5 
overview  25-1,25-4 
security  levels  25-3 
status,  displaying  25-17 
system  contact  and  location  25-15 
trap  manager,  configuring  25-14 
traps 

described    25-3, 25-5 
differences  from  informs  25-5 
disabling  25-15 
enabling  25-12 

enabling  MAC  address  notification  4-22 
overview  25-1,25-5 
types  of  25-12 


IN-26 


j    Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


Index  B 


SNMP  (continued) 

users  25-7,25-10 

versions  supported  25-2 
SNMPvl  25-2 
SNMPv2C  25-2 
SNMPv3  25-2 
snooping,  IGMP  17-1 
software  images 

location  in  flash  B-21 

recovery  procedures  29-2 

scheduling  reloads  3-17 

tar  file  format,  described  B-21 

See  also  downloading  and  uploading 

source  addresses,  in  IPv4  ACLs  26-9 

source-and-destination-IP  address  based  forwarding, 
EtherChannel  28-7 

source-and-destination  MAC  address  forwarding, 
EtherChannel  28-6 

source-IP  address  based  forwarding,  EtherChannel  28-7 

source-MAC  address  forwarding,  EtherChannel  28-6 

SPAN 

configuration  guidelines  22-10 
default  configuration  22-9 
destination  ports  22-6 
displaying  status  22-23 
interaction  with  other  features  22-8 
monitored  ports  22-5 
monitoring  ports  22-6 
overview  1-9,22-1 
ports,  restrictions  18-11 
received  traffic  22-4 
sessions 

configuring  ingress  forwarding  22-14,22-21 
creating  22-10 
defined  22-3 

limiting  source  traffic  to  specific  VLANs  22-14 
removing  destination  (monitoring)  ports  22-12 
specifying  monitored  ports  22-10 
with  ingress  traffic  enabled  22-13 


SPAN  (continued) 

source  ports  22-5 

transmitted  traffic  22-5 

VLAN-based  22-6 
spanning  tree  and  native  VLANs  9-17 
Spanning  Tree  Protocol 

See  STP 
SPAN  traffic  22-4 
SRR 

configuring 
shaped  weights  on  egress  queues  27-72 
shared  weights  on  egress  queues  27-73 
shared  weights  on  ingress  queues  27-65 

described  27-14 

shaped  mode  27-14 

shared  mode  27-14 

support  for  1-8,1-9 
SSH 

configuring  5-39 

cryptographic  software  image  5-37 
described  1-5,5-38 
encryption  methods  5-38 
user  authentication  methods,  supported  5-38 
SSL 

configuration  guidelines  5-45 
configuring  a  secure  HTTP  client  5-47 
configuring  a  secure  HTTP  server  5-46 
described  5-42 
monitoring  5-48 
standby  links  15-2 
startup  configuration 
booting 

manually  3-13 

specific  image  3-14 
clearing  B-20 
configuration  file 

automatically  downloading  3-13 

specifying  the  filename  3-13 
default  boot  configuration  3-12 
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static  access  ports 

assigning  to  VLAN  9-10 

defined    7-2, 9-3 
static  addresses 

See  addresses 
static  MAC  addressing  1-7 
static  VLAN  membership  9-2 
statistics 

802.  lx  6-42 

CDP  19-5 

interface  7-16 

LLDP  20-7 

LLDP-MED  20-7 

QoS  ingress  and  egress  27-75 

RMON  group  Ethernet  23-5 

RMON  group  history  23-5 

SNMP  input  and  output  25-17 

VTP  10-16 
sticky  learning  18-8 
storm  control 

configuring  18-3 

described  18-1 

disabling  18-5 

displaying  18-17 

support  for  1-3 

thresholds  18-1 
STP 

accelerating  root  port  selection  14-4 
BackboneFast 

described  14-5 

disabling  14-14 

enabling  14-13 
BPDU  filtering 

described  14-3 

disabling  14-12 

enabling  14-12 


STP  (continued) 
BPDU  guard 

described  14-2 

disabling  14-12 

enabling  14-11 
BPDU  message  exchange  12-3 
configuration  guidelines    12-12, 14-10 
configuring 

forward-delay  time  12-21 

hello  time  12-20 

maximum  aging  time  12-21 

path  cost  12-18 

port  priority  12-16 

root  switch  12-14 

secondary  root  switch  12-16 

spanning-tree  mode  12-13 

switch  priority  12-19 

transmit  hold-count  12-22 
counters,  clearing  12-22 
default  configuration  12-11 
default  optional  feature  configuration  14-9 
designated  port,  defined  12-3 
designated  switch,  defined  12-3 
detecting  indirect  link  failures  14-5 
disabling  12-14 
displaying  status  12-22 
EtherChannel  guard 

described  14-7 

disabling  14-14 

enabling  14-14 
extended  system  ID 

effects  on  root  switch  12-14 

effects  on  the  secondary  root  switch  12-16 

overview  12-4 

unexpected  behavior  12-14 
features  supported  1-5 
IEEE  802.  ID  and  bridge  ID  12-4 
IEEE  802.  ID  and  multicast  addresses  12-8 
IEEE  802.  It  and  VLAN  identifier  12-4 
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STP  (continued) 
inferior  BPDU  12-3 
instances  supported  12-9 
interface  state,  blocking  to  forwarding  14-2 
interface  states 

blocking  12-6 

disabled  12-7 

forwarding    12-5, 12-6 

learning  12-6 

listening  12-6 

overview  12-4 
interoperability  and  compatibility  among  modes  12-10 
limitations  with  IEEE  802. 1Q  trunks  12-10 
load  sharing 

overview  9-22 

using  path  costs  9-24 

using  port  priorities  9-22 
loop  guard 

described  14-9 

enabling  14-15 
modes  supported  12-9 
multicast  addresses,  effect  of  12-8 
optional  features  supported  1-6 
overview  12-2 
path  costs  9-24 
Port  Fast 

described  14-2 

enabling  14-10 
port  priorities  9-23 
preventing  root  switch  selection  14-8 
protocols  supported  12-9 
redundant  connectivity  12-8 
root  guard 

described  14-8 

enabling  14-15 
root  port,  defined  12-3 


STP  (continued) 
root  switch 
configuring  12-14 

effects  of  extended  system  ID    12-4, 12-14 
election  12-3 
unexpected  behavior  12-14 
shutdown  Port  Fast-enabled  port  14-2 
status,  displaying  12-22 
superior  BPDU  12-3 
timers,  described  12-20 
UplinkFast 
described  14-3 
enabling  14-13 
stratum,  NTP  4-2 
success  response,  VMPS  9-26 
summer  time  4-13 
SunNet  Manager  1-4 
switch  clustering  technology 

See  also  clusters,  switch 
switch  console  port  1-5 
Switched  Port  Analyzer 

See  SPAN 
switched  ports  7-2 

switchport  block  multicast  command  18-7 
switchport  block  unicast  command  18-7 
switchport  protected  command  18-6 
switch  priority 

MSTP  13-21 

STP  12-19 
switch  software  features  1-1 
syslog 

See  system  message  logging 
system  clock 
configuring 

daylight  saving  time  4-13 

manually  4-11 

summer  time  4-13 

time  zones  4-12 
displaying  the  time  and  date  4-12 
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system  clock  (continued) 

overview  4-1 

See  also  NTP 
system  message  logging 

default  configuration  24-3 

defining  error  message  severity  levels  24-8 

disabling  24-3 

displaying  the  configuration  24-12 
enabling  24-4 

facility  keywords,  described  24-11 
level  keywords,  described  24-9 
limiting  messages  24-9 
message  format  24-2 
overview  24-1 

sequence  numbers,  enabling  and  disabling  24-7 
setting  the  display  destination  device  24-4 
synchronizing  log  messages  24-5 
syslog  facility  1-9 

time  stamps,  enabling  and  disabling  24-7 

UNIX  syslog  servers 
configuring  the  daemon  24-10 
configuring  the  logging  facility  24-11 
facilities  supported  24-11 
system  name 

default  configuration  4-15 

default  setting  4-15 

manual  configuration  4-15 

See  also  DNS 
system  prompt,  default  setting    4-14, 4-15 


T 

TACACS+ 
accounting,  defined  5-11 
authentication,  defined  5-11 
authorization,  defined  5-11 
configuring 

accounting  5-17 

authentication  key  5-13 

authorization  5-16 

login  authentication  5-14 
default  configuration  5-13 
displaying  the  configuration  5-17 
identifying  the  server  5-13 
limiting  the  services  to  the  user  5-16 
operation  of  5-12 
overview  5-10 
support  for  1-7 

tracking  services  accessed  by  user  5-17 
tar  files 
creating  B-6 

displaying  the  contents  of  B-6 

extracting  B-8 

image  file  format  B-21 
TDR  1-9 
Telnet 

accessing  management  interfaces  2-10 

number  of  connections  1-5 

setting  a  password  5-6 
temporary  self-signed  certificate  5-43 
Terminal  Access  Controller  Access  Control  System  Plus 

See  TACACS+ 
terminal  lines,  setting  a  password  5-6 
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TFTP 
configuration  files 
downloading  B-12 
preparing  the  server  B-11 
uploading  B-12 
configuration  files  in  base  directory  3-6 
configuring  for  autoconfiguration  3-6 
image  files 
deleting  B-24 
downloading  B-23 
preparing  the  server  B-23 
uploading  B-25 
limiting  access  by  servers  25-16 
TFTP  server  1-4 
threshold,  traffic  level  18-2 
time 

See  NTP  and  system  clock 
Time  Domain  Reflector 

See  TDR 
time-range  command  26-14 
time  ranges  in  ACLs  26-14 
time  stamps  in  log  messages  24-7 
time  zones  4-12 
tlvs 

defined  20-1 

LLDP  20-1 

LLDP-MED  20-2 
Token  Ring  VLANs 

support  for  9-5 

VTP  support  10-4 
ToS  1-8 

traceroute,  Layer  2 
and  ARP  29-15 
and  CDP  29-15 
broadcast  traffic  29-14 
described  29-14 
IP  addresses  and  subnets  29-15 
MAC  addresses  and  VLANs  29-15 
multicast  traffic  29-15 


traceroute,  Layer  2  (continued) 

multiple  devices  on  a  port  29-15 

unicast  traffic  29-14 

usage  guidelines  29-15 
traceroute  command  29-17 

See  also  IP  traceroute 
traffic 

blocking  flooded  18-7 

fragmented  26-4 

unfragmented  26-4 
traffic  policing  1-8 
traffic  suppression  18-1 
transmit  hold-count 

see  STP 

transparent  mode,  VTP    10-3, 10-12 

trap-door  mechanism  3-2 
traps 

configuring  MAC  address  notification  4-22 
configuring  managers  25-12 
defined  25-3 
enabling    4-22, 25-12 
notification  types  25-12 
overview  25-1,25-5 
troubleshooting 
connectivity  problems    29-13, 29-14, 29-16 
detecting  unidirectional  links  21-1 
displaying  crash  information  29-22 
setting  packet  forwarding  29-20 
SFP  security  and  identification  29-12 
show  forward  command  29-20 
with  CiscoWorks  25-4 
with  debug  commands  29-18 
with  ping  29-13 

with  system  message  logging  24-1 
with  traceroute  29-16 
trunking  encapsulation  1-6 
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trunk  ports 
configuring  9-18 
defined    7-3, 9-3 
encapsulation  9-18,9-23,9-24 

trunks 

allowed- VLAN  list  9-19 
configuring  9-18,9-23,9-24 
ISL  9-14 

load  sharing 

setting  STP  path  costs  9-24 
using  STP  port  priorities    9-22, 9-23 

native  VLAN  for  untagged  traffic  9-21 

parallel  9-24 

pruning-eligible  list  9-20 

to  non-DTP  device  9-15 
trusted  boundary  for  QoS  27-37 
trusted  port  states 

between  QoS  domains  27-39 

classification  options  27-5 

ensuring  port  security  for  IP  phones  27-37 

support  for  1-8 

within  a  QoS  domain  27-35 
trustpoints,  CA  5-42 

twisted-pair  Ethernet,  detecting  unidirectional  links  21-1 
type  of  service 
See  ToS 

u 

UDLD 

configuration  guidelines  21-4 
default  configuration  21-4 
disabling 
globally  21-5 

on  fiber-optic  interfaces  21-5 
per  interface  21-5 
echoing  detection  mechanism  21-2 
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enabling 
globally  21-5 
per  interface  21-5 

link-detection  mechanism  21-1 

neighbor  database  21-2 

overview  21-1 

resetting  an  interface  21-6 

status,  displaying  21-6 

support  for  1-5 
unauthorized  ports  with  IEEE  802.  lx  6-7 
unicast  MAC  address  filtering  1-4 

and  adding  static  addresses  4-25 

and  broadcast  MAC  addresses  4-25 

and  CPU  packets  4-25 

and  multicast  addresses  4-25 

and  router  MAC  addresses  4-25 

configuration  guidelines  4-25 

described  4-25 
unicast  storm  18-1 
unicast  storm  control  command  18-4 
unicast  traffic,  blocking  18-7 
UniDirectional  Link  Detection  protocol 

See  UDLD 
UNIX  syslog  servers 

daemon  configuration  24-10 

facilities  supported  24-11 

message  logging  configuration  24-11 
unrecognized  Type-Length- Value  (TLV)  support  10-4 
upgrading  information 

See  release  notes 
upgrading  software  images 

See  downloading 
UplinkFast 

described  14-3 

disabling  14-13 

enabling  14-13 

support  for  1-5 
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uploading 
configuration  files 

preparing    B-11,  B-14,  B-17 

reasons  for  B-9 

using  FTP  B-15 

using  RCP  B-19 

using  TFTP  B-12 
image  files 

preparing    B-23,  B-26,  B-30 

reasons  for  B-21 

using  FTP  B-28 

using  RCP  B-33 

using  TFTP  B-25 
user  EXEC  mode  2-2 
username-based  authentication  5-6 


version-dependent  transparent  mode  10-4 
vlan.dat  file  9-4 

VLAN  1,  disabling  on  a  trunk  port  9-19 
VLAN  1  minimization  9-19 
VLAN  ACLs 

See  VLAN  maps 
vlan-assignment  response,  VMPS  9-25 
VLAN  configuration 

at  bootup  9-7 

saving  9-7 
VLAN  configuration  mode    2-2,  9-6 
VLAN  database 

and  startup  configuration  file  9-7 

and  VTP  10-1 

VLAN  configuration  saved  in  9-7 

VLANs  saved  in  9-4 
vlan  database  command  9-6 
VLAN  filtering  and  SPAN  22-6 
vlan  global  configuration  command  9-6 
VLAN  ID,  discovering  4-26 


VLAN  load  balancing  on  flex  links  15-2 

configuration  guidelines  15-5 
VLAN  management  domain  10-2 
VLAN  Management  Policy  Server 

See  VMPS 
VLAN  map  entries,  order  of  26-23 
VLAN  maps 

applying  26-26 

common  uses  for  26-27 

configuration  guidelines  26-23 

configuring  26-22 

creating  26-24 

defined    26-2, 26-3 

denying  access  to  a  server  example  26-28 
denying  and  permitting  packets  26-24 
displaying  26-29 

examples  of  ACLs  and  VLAN  maps  26-24 
removing  26-26 
support  for  1-7 

wiring  closet  configuration  example  26-27 
VLAN  membership 

confirming  9-29 

modes  9-3 
VLAN  Query  Protocol 

See  VQP 
VLANs 

adding  9-8 

adding  to  VLAN  database  9-8 

aging  dynamic  addresses  12-9 

allowed  on  trunk  9-19 

and  spanning-tree  instances    9-2, 9-6, 9-12 

configuration  guidelines,  extended-range  VLANs  9-12 

configuration  guidelines,  normal-range  VLANs  9-5 

configuration  options  9-6 

configuring  9-1 

configuring  IDs  1006  to  4094  9-12 
creating  in  config-vlan  mode  9-8 
creating  in  VLAN  configuration  mode  9-9 
default  configuration  9-7 
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VLANs  (continued) 
deleting  9-10 
described  7-1,9-1 
displaying  9-14 
extended-range  9-1,9-11 
features  1-6 
illustrated  9-2 

limiting  source  traffic  with  RSPAN  22-22 

limiting  source  traffic  with  SPAN  22-14 

modifying  9-8 

multicast  17-17 

native,  configuring  9-21 

normal-range  9-1,9-4 

number  supported  1-6 

parameters  9-4 

port  membership  modes  9-3 

static-access  ports  9-10 

STP  and  IEEE  802 . 1 Q  trunks  12-10 

supported  9-2 

Token  Ring  9-5 

traffic  between  9-2 

VTP  modes  10-3 
VLAN  Trunking  Protocol 

See  VTP 
VLAN  trunks  9-14 
VMPS 

administering  9-30 

configuration  example  9-30 

configuration  guidelines  9-27 

default  configuration  9-26 

description  9-25 

dynamic  port  membership 
described  9-26 
reconfirming  9-29 
troubleshooting  9-30 

entering  server  address  9-27 

mapping  MAC  addresses  to  VLANs  9-25 

monitoring  9-30 

reconfirmation  interval,  changing  9-29 


VMPS  (continued) 
reconfirming  membership  9-29 
retry  count,  changing  9-29 
voice-over-IP  11-1 
voice  VLAN 
Cisco  7960  phone,  port  connections  11-1 
configuration  guidelines  11-3 
configuring  IP  phones  for  data  traffic 

override  CoS  of  incoming  frame  11-6 

trust  CoS  priority  of  incoming  frame  11-6 
configuring  ports  for  voice  traffic  in 

802.  lp  priority  tagged  frames  11-5 

802.1Q  frames  11-5 
connecting  to  an  IP  phone  11-4 
default  configuration  11-3 
described  11-1 
displaying  11-6 

IP  phone  data  traffic,  described  11-2 
IP  phone  voice  traffic,  described  11-2 

VQP  1-6,9-25 

VTP 

adding  a  client  to  a  domain  10-14 

advertisements    9-17, 10-3 

and  extended-range  VLANs  10-1 

and  normal-range  VLANs  10-1 

client  mode,  configuring  10-11 

configuration 

global  configuration  mode  10-7 

guidelines  10-8 

privileged  EXEC  mode  10-7 

requirements  10-9 

saving  10-7 

VLAN  configuration  mode  10-7 
configuration  mode  options  10-7 
configuration  requirements  10-9 
configuration  revision  number 

guideline  10-14 

resetting  10-15 
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VTP  (continued) 
configuring 

client  mode  10-11 

server  mode  10-9 

transparent  mode  10-12 
consistency  checks  10-4 
default  configuration  10-6 
described  10-1 
disabling  10-12 
domain  names  10-8 
domains  10-2 
modes 

client  10-3,10-11 

server    10-3, 10-9 

transitions  10-3 

transparent    10-3, 10-12 
monitoring  10-16 
passwords  10-8 
pruning 

disabling  10-14 

enabling  10-14 

examples  10-5 

overview  10-4 

support  for  1-6 
pruning-eligible  list,  changing  9-20 
server  mode,  configuring  10-9 
statistics  10-16 
support  for  1-6 
Token  Ring  support  10-4 
transparent  mode,  configuring  10-12 
using  10-1 

version,  guidelines  10-8 
Version  1  10-4 
Version  2 

configuration  guidelines  10-8 

disabling  10-13 

enabling  10-13 

overview  10-4 


w 

web  authentication 

configuring    6-38  to  6-41 

described  6-18 

fallback  for  IEEE  802.  lx  6-40 
weighted  tail  drop 

See  WTD 
wizards  1-2 
WTD 

described  27-13 

setting  thresholds 
egress  queue-sets  27-68 
ingress  queues  27-64 

support  for  1-8,1-9 
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Xmodem  protocol  29-2 


I  380261-003 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide  ■ 


IN-35 


I  Index 


Cisco  Gigabit  Ethernet  Switch  Module  for  HP  p-Class  BladeSystem  Software  Configuration  Guide 


380261-003  I 


